They typically borrow $10 for every $1 of equity, which can amplify any missteps or oversight. Robust oversight by a board of directors, and in particular the audit and risk committees, is key to the success of any institution.
“At the Federal Reserve Bank of Kansas City, we have consistently found a strong correlation between overall bank health and the level of director engagement,” wrote Kansas City Fed President Esther George in the agency’s governance manual, “Basics for Bank Directors.” “Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors.”
This may sound trite, but the strongest bank boards embrace a collective sense of curiosity and cognitive diversity, according to executives and directors at Bank Director’s 2019 Bank Audit & Risk Committees Conference in Chicago.
Balancing revenue generation against risk management requires a bank’s audit and risk committees to invite skepticism, foster intelligent discussion and create a space for constructive disagreements. Institutions also need to remain abreast of emerging risks and changes that impact operations and strategy.
This is why curiosity, in particular, is so important.
“It’s critical for audit committee members to have curiosity and a critical mind,” says Sal Inserra, a partner at Crowe LLP. “You need to ask the tough questions. The worst thing is a silent audit committee meeting. It’s important to be inquisitive and have a sense of curiosity.”
Board members who are intellectually curious can provide credible challenges to management, agrees John Erickson, a director at Bank of Hawaii Corp.
Focusing on intellectual curiosity, as opposed to a set of concrete skills, can also broaden the pool of individuals that are qualified to sit on a bank’s audit and risk committees. These committees have traditionally been the domain of certified public accountants, but a significant portion of audit committee members in attendance at the conference were not CPAs.
Robert Glaser, the audit committee chair at Five Star Bank, sees that diversity of experience as an advantage for banks. He and several others say a diversity of experiences, or cognitive diversity, invites and cultivates diversity of thought. These members should be unafraid to bring their questions and perspectives to meetings.
Having non-CPAs on the audit committee of Pacific Premier Bancorp has helped the firm manage the variety of risks it faces, says Derrick Hong, chief audit executive at Pacific Premier. The audit committee chair is a CPA, but the bank has found it “very helpful” to have non-CPAs on the committee as well, he says.
Audit and risk committee members with diverse experiences can also balance the traditional perspective of the CPA-types.
“It’s important [for audit committee members] to have balance. Bean counters don’t know everything,” says Paul Ward, chief risk officer at Community Bank System, who self-identifies as a “bean counter.”
“Some of the best questions I’ve seen [from audit committee members] have come from non-CPAs,” Ward says.
However, banks interested in cultivating intellectual curiosity and cognitive diversity in their audit and risk committees still need to identify board members with an appreciation for financial statements, and the work that goes into crafting them. After all, the audit committee helps protect the financial integrity of a bank through internal controls and reporting, not just reviewing financial statements before they are released.
Executives and board chairs also say that audit and risk committee members need to be dynamic and focus on how changes inside and outside the bank can alter its risk profile. Intellectual curiosity can help banks remain focused on these changes and resist the urge to become complicit.
I’ll be the first to admit that qualities like curiosity and cognitive diversity sound cliché. But just because something sounds cliché, doesn’t mean it isn’t also true.
At around a quarter to seven o’clock on the evening of Saturday, May 11, firefighters showed up at Enloe State Bank in Cooper, Texas, to find a stack of papers on fire on the conference room table.
“We believe it is suspicious,” said the sheriff, “but we don’t have any more information at this point.” Three weeks later, regulators seized the bank “due to insider abuse and fraud by former officers,” according to Texas Banking Commissioner Charles Cooper.
It’s fair to say that Enloe State Bank is an outlier. It was the first bank to fail in a year and a half, in fact. And one can’t help but wonder what would lead someone to set papers ablaze on a conference room table.
Yet, incidents like this are important for bank executives and directors to register, because they underscore the importance of proactive oversight by a bank’s board—especially the audit and risk committees.
“The essence of the audit committee’s responsibilities is protecting the bank,” said Derrick Hong, the chief audit executive at Pacific Premier Bank, at Bank Director’s 2019 Bank Audit & Risk Committees Conference taking place in Chicago this week. “There are so many pitfalls and risks that could potentially take down a bank, so focusing on those things is the key responsibility of the audit committee.”
Admittedly, it seems like an odd time to worry about risk.
Bank capital levels have never been stronger or of higher quality, noted Steven Hovde, chairman and CEO of Hovde Group. Net charge-offs are lower across the industry than they’ve been in decades. And tax reform has catalyzed profitability. Despite narrow lending margins and subpar efficiency, the banking industry is once again earning more than 1 percent on its assets, exceeding the benchmark threshold last year for the first time since the financial crisis.
But it’s in the good times like these that banking’s troubles are sowed.
“You have to be proactive rather than reactive,” said Mike Dempsey, senior manager at Dixon Hughes Goodman LLP. This approach stems from culture, said Dempsey’s co-presenter LeAnne Staalenburg, senior vice president in charge of corporate security and risk at Capital City Bank Group.
“Culture is key,” said Stallenburg. “Having that culture spread throughout the organization is critical to having a successful risk management program.”
To be clear, the biggest threat to banks currently isn’t bad loans. Credit policy isn’t something to ignore, of course, because loan losses will climb when the cycle takes a turn for the worse. But banks have plenty of capital to absorb those losses, and memories of the last crisis are still fresh in many risk managers’ minds.
The biggest threat isn’t related to funding, either. Even though bankers are concerned about large institutions taking deposit market share as interest rates climb, 74 percent of attendees at Bank Director’s Audit & Risk Committees Conference said their institutions either maintained their existing share or gained share as rates inched higher.
Instead, according to conference attendees, the biggest threat is related to technology. When asked which categories of risk they were most concerned about, 69 percent identified cybersecurity as the No. 1 threat.
Vendor relationships only aggravate this concern. As Staalenburg and Dempsey noted in response to an attendee’s question, vendors offer another way for malicious actors to infiltrate a bank.
Even though we are in a golden age of banking, Hovde emphasized, now is not the time for a bank’s board, and particularly its audit and risk committees, to be complacent.
“Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors,” wrote Kansas City Federal Reserve President Esther George in the Fed’s governance manual, Basics for Bank Directors. “Conversely, in cases where banks have more severe problems and recurring issues, it is not uncommon to find a disengaged board that may be struggling to understand its role and fulfill its fiduciary responsibilities.”
How does the executive team at your biggest competitor think about their future? Are they fixated on asset growth or loan quality? Gathering low-cost deposits? Improving their technology to accelerate the digital delivery of new products? Finding and training new talent?
The answers don’t need to be immediate or precise. But we tend to fixate on the issues in front of us and ignore what’s happening right outside our door, even if the latter issues are just as important.
Yet, any leader worth their weight in stock certificates will say that taking the time to dig into and learn about other businesses, even those in unrelated industries, is time well spent.
Regular readers of Bank Director know that executives and experienced outside directors prize efficiency, prudence and smart capital allocation in their bank’s dealings.
But here’s the thing: Your biggest—and most formidable—competitors strive for the same objectives.
So when we talk about trending topics at this year’s Bank Audit and Risk Committees Conference, hosted by Bank Director in Chicago from June 10-12, we do so with an eye not just to the internal challenges faced by your institution but on the external pressures as well.
As we prepare to host 317 women and men from banks across the country, let me state the obvious: Risk is no stranger to a bank’s officers or directors. Indeed, the core business of banking revolves around risk management—interest rate risk, credit risk, operational risk.
Given this, few would dispute the importance of the audit committee to appraise a bank’s business practices, or of the risk committee to identify potential hazards that could imperil an institution.
Banks must stay vigilant, even as they struggle to respond to the demands of the digital revolution and heightened customer expectations. I can’t overstate the importance of audit and risk committees keeping pace with the disruptive technological transformation of the industry.
That transformation is creating an emergent banking model, according to Frank Rotman, a founding partner of venture capital firm QED Investors. This new model focuses banks on increasing engagement, collecting data and offering precisely targeted solutions to their customers.
If that’s the case—given the current state of innovation, digital transformation and the re-imagination of business processes—is it any wonder that boards are struggling to focus on risk management and the bank’s internal control environment?
When was the last time the audit committee at your bank revisited the list of items that appeared on the meeting agenda or evaluated how the committee spends its time? From my vantage point, now might be an ideal time for audit committees to sharpen the focus of their institutions on the cultures they prize, the ethics they value and the processes they need to ensure compliance.
And for risk committee members, national economic uncertainty—given the political rhetoric from Washington and trade tensions with U.S. global economic partners, especially China—has to be on your radar. Many economists expect an economic recession by June 2020. Is your bank prepared for that?
Bank leadership teams must monitor technological advances, cybersecurity concerns and an ever-evolving set of customer and investor expectations. But other issues can’t be ignored either.
At our upcoming event in Chicago, the Bank Audit and Risk Committees Conference, I encourage everyone to remember that minds are like parachutes. In the immortal words of musician Frank Zappa: “It doesn’t work if it is not open.”
One of the central topics of conversation at this week’s Bank Audit & Risk Committees Conference hosted by Bank Director in Chicago is whether a bank’s board of directors should have a risk committee separate from its audit committee. And for banks that have already established a risk committee, the question is what responsibilities should be delegated to it.
In one respect, the question of whether a bank should establish a risk committee seems easy to answer because it’s clearly delineated in the regulations. Under the original Dodd-Frank Act of 2010, banks with more than $10 billion in assets are required by law to have one, though that threshold was raised to $50 billion in legislation enacted last month designed to ease the burden of the post-financial crisis regulatory regime on smaller banks.
There is a general consensus among attendees at this year’s conference that a bank shouldn’t base its decision to establish a risk committee solely on a size threshold. “Now that we have a risk committee, I don’t know how we did it without one,” said Tom Richovsky, chairman of the audit committee at United Community Banks, a $12.3-billion bank based in Blairsville, Georgia.
Rob Azarow, a partner at Arnold & Porter, says the decision should be informed by two factors in addition to size. The first is the complexity of a bank, with the presumption being that a bank with a more complex business model should establish a risk committee sooner than a bank with a less complex model. The second factor is dollars and cents—namely, whether a bank has the internal resources at its disposal to essentially split its existing audit committee into two.
It’s worth noting as well, as Azarow points out, that even under the new legislation, the Federal Reserve retains the authority to require a bank to implement a risk committee, irrespective of size. Another point to keep in mind is that even for banks not required as a result of their size to establish a risk committee, once established, it is subject to regulatory oversight.
Approximately half the banks at this year’s Bank Audit & Risk Committees Conference have both types of committees—audit and risk—with many of the others still weighing the pros and cons of establishing both.
Deciding whether to have a risk committee is only half the battle; the other half involves deciding exactly what that committee should do. Should it be vested with all risk-related questions, thereby usurping the authority over those questions from other committees? Or should the other committees retain their authority of relevant risks, while the risk committee then plays the role of overseeing an aggregated view of those risks?
This distinction is clearest in the context of the credit committee, for example. One of the fundamental purposes of a credit committee is to gauge credit risk. It isn’t uncommon, for instance, for a bank to require its credit committee to approve especially large loans. Would the risk committee now handle this?
Generally, the answer is no. The role of the risk committee when it comes to credit risk is broader, focused on concentration risk as opposed to the risk associated with individual credits.
Another place this comes up is in the context of technology and information security. While the audit committee would retain the authority to ensure that current laws, regulations and best practices are being abided by, the risk committee would be more focused on looming threats.
Deciding which responsibilities fall under the risk committee as opposed to, say, the audit and credit committees seems to boil down to the question of whether the issue is backward-looking or forward-looking, tactical or strategic. Issues that are forward-looking and strategic should go to the risk committee, with the rest remaining under the jurisdiction of their home committees.
To be clear, conclusions on when and how to charter a risk committee are far from settled. There are rough best practices, but no overarching consensus in terms of bright lines. Even banks that have established separate risk committees with clearly delineated duties are still in a process of adjustment. They’re happy with their decision to do so, but they recognize that this is more of an evolution than a revolution.
Chief risk officers, risk committees and enterprise risk management—which go together like toast, eggs and ham—are still relatively new concepts in banking even though they have been mandated by the Federal Reserve Board since 2014 for institutions of a certain size. Banks with $10 billion in assets or greater are required to have an enterprise-wide risk committee, and banks above $50 billion must also have a chief risk officer. Union Bankshares Corp., a $7.8 billion asset institution headquartered in Richmond, Virginia, has all three. Under the leadership of Executive Vice President and Chief Risk Officer David G. Bilko, the holding company for Union Bank & Trust implemented its ERM program two years ago. Bilko is an enthusiastic supporter of an ERM approach, which he believes provides a clearer, more unified view of the bank’s risk profile than its previous approach, which tended to be fragmented. In an interview with Bank Director Editor in Chief Jack Milligan, Bilko talks about the challenges of implementing an ERM program, among other topics.
Define your role at Union. What are you responsible for? Bilko: In a nutshell, my responsibility can be boiled down to this: I own the design, implementation and governance of the enterprise risk management program.
We utilize the traditional three-lines-of-defense model. From a risk management perspective, the first line?which is the front line of the business units and support functions, really own and are responsible for managing risk. The second line, which is the ERM function that I manage, provides the program, tools standards and consistent practices that we use to help the first line in their risk management responsibilities. The third line of defense, which is the internal audit function, does the test work to ensure that those things are working properly.
How long has Union had an enterprise risk management program in place? What were some of the big challenges you had to deal with in terms of implementation? Bilko: We’ve had our ERM program fully in place for about two years now. It took us eight months or so to get the foundation laid and put the elements of the program in motion. We started with more of a top-down approach to make sure we had the right governance structure?the reporting structures to the board and executive management?set up. Concurrently, we implemented what I would call the bottom up part of it, which is the grass-roots risk and control assessment process.
It takes time to get that into motion and by the latter half of 2014, we were finished, or at least established in a consistent fashion. We’ve just continued to build on it from there. It’s really a maturation process. It’s never over. You always have to continue to mature and get better at it.
In terms of challenges, one is awareness. In an organization such as ours, where risk management was more distributed across the organization, we were doing it but it was ad-hoc in nature and not tied together in a central program, or a consistent discipline across the organization.
You have to make people aware of what enterprise risk management is, and what it isn’t, and who’s doing what, and how it’s supposed to work, and what the governing principles are. The awareness piece of it is an educational process that takes time, and is a challenge, in terms of how you go about that.
Which also leads into another challenge, which is role clarity. I mentioned the three lines of defense; people need to know what is expected of them under the program.
ERM gives you a holistic view of risks throughout the enterprise. That sounds like something that’s good to have, but does it really, in a very tangible way, enable management and the board to control risk more effectively than when risk management was siloed—or as you put it, distributed—throughout the organization? Bilko: In my opinion, it does because it allows you to break down your risks into portfolios that receive very focused attention on a regular basis. There’s constant assessment and identification of risk that leads to control or mitigation, and it all rolls up into a risk profile at the portfolio category level, which would include such risks as credit, market, operational, strategic and reputation, that then can be consolidated into an aggregate portfolio for the institution. We provide quarterly updates on those risk portfolios as well as the aggregate risk profile, so that anything that needs to be addressed is addressed more quickly.
We’re able to get a more forward looking view rather than always looking behind us, which is more of the old way. This is much more dedicated to seeing the train coming at us rather than looking at it right after it’s run over us.
What advice would you give another bank that starting down the path of ERM design and implementation based your experience? Bilko: First of all, there’s a ton of information and knowledge available today on ERM. You can find whatever you want just by searching the internet, not to mention all the consulting firms that offer advice on it. There’s no shortage of information.
I think the biggest thing you have to do is align the program with your culture. If you do something because it’s traditional, or best practice, but is counter to your culture, it’s going be way more difficult to implement.
One of the things that I focused on here was to make sure I understood our culture, so that we could implement or build a program that was aligned with that, recognizing that culture changes over time.
I also think it’s important to keep it simple so that it’s easier to create and to understand for the people who are involved in it.
What’s your reporting relationship with Union’s CEO, William Beale, and with the board of directors? How do you line up with both of them from a communication and accountability perspective? Bilko: I report directly to our CEO. He actually sits in the office right next to mine, and he keeps me close by. We talk a lot. He’s very inquisitive and very focused on ERM, and he uses me a lot as a sounding board on a lot of different risk and control issues.
The way we’re set up is, I have a direct reporting line into the CEO and a dotted line into the risk committee of the board. I kind of view it as a triangle: The CEO, the board’s risk committee and myself. We try to keep the triangle intact, and be very transparent with everything we’re doing. I think that’s a good way to do it. The risk committee is very involved in the oversight of the enterprise risk management program. Our CEO’s participation and interaction in my process allows us to be better and more affective in terms of governance reporting and actual practice.
Union has both an audit committee and a risk committee. How has the board divided up risk governance between the two, and how often, and in what way, do you communicate with both committees? Bilko: The risk committee of the board is charged with the oversight of enterprise risk management. All the elements of that program are under their umbrella, and we report on them. To draw the distinction between the risk and audit committees, I participate in the audit committee meetings just like our chief audit executive participates in our risk committee meetings. There is a lot of sharing going on there and a lot of interaction. I hear what the conversations are within the audit committee realm from a control perspective and risk mitigation perspective. In the same vein our chief audit executive hears that from the risk committee side. There’s a fairly deep connection there.
Additionally, our audit committee and risk committee have a joint meeting once a year where all the directors on those committees are in the same room and we build an agenda that reflects what the risk management program is doing and reporting on, as well as what the audit group is involved with and some of the significant issues that they’re reporting on.
And finally, we have two directors that are on both the audit committee and the risk committee, so there’s that cross-over that’s happening as well.
I wouldn’t characterize it as dividing up risk between the two committees. I would characterize it as more open and broader communication across the committees so that both are aware of what’s going on, what issues need to be discussed, elevated and acted on. The full board is getting the benefits of those reports from both committees, and they’re both in the know.
Regulation becomes much tougher when a bank crosses over the $10 billion asset threshold. My understanding is that the regulators don’t wait until you get there and then suddenly look at you differently. As you get closer to that magic number, they want to know where you’re going as an organization. They want to know what your growth plans are, they want to know where you think the bank might be in five years, and they want you to start building an infrastructure that is scalable and appropriate for a larger bank, even if you haven’t reached that point legally. Is that how it works, in your experience? Bilko: Yes. The way you described that is pretty spot on. The regulatory agencies, and our primary regulator is the Federal Reserve, want to understand your objectives, your strategies, and if those strategies are growth oriented. We have regular conversations with our counterparts at the Federal Reserve to keep abreast of those types of things and what we can expect. Clearly, it’s a matter of readiness and scalability. If you’re going to grow, you need to be ready to grow. When they talk about it, that boils down to infrastructure and processes that are capable of handling that growth dynamic. It’s something that we’ve certainly experienced over the last few years as we’ve continued to execute our growth strategy.
What do you think that the greatest risk challenges are facing banks today, including Union? What do you worry about most? What would keep you up at night? Bilko: I get asked that question a lot, actually. I think what’s top-of-mind always?and it seems to be what we read about the most—is the risk associated with technology, vulnerability to data loss, information security, breaches, those sorts of things. We can play defense, but the bad guys are really good at playing offense, so our defense lags. We don’t consider ourselves necessarily to be a prime target, but the effort to keep our data protected is an ongoing imperative.
Process discipline has also become very important. Operationally, we want to be very sure that we have appropriately determined the risk around our processes, and that they are controlled adequately and are kept up to date. Typically, where you have gaps in your processes is where you have breakdowns.
I would summarize by saying that a lot of risk management is change management?adapting your risk practices to the constant changes that are occurring. We live in a rapidly changing world, both regulatory and otherwise, and we have to be able to adapt quickly.
What’s your professional background, and what path did you follow to become a chief risk officer? Bilko: I have spent my entire career in banking, at both big banks and small banks. I worked for a couple years in retail banking, and then a couple of years in the support group for lending. But up until about the last six years, most of my career has been spent in internal audit. I have been involved with, or at least got to see and learn, just about every aspect of the business, and every area within the institution. It created a broad view for me, of how how things run and what makes these banking organizations tick.
Over the course of time, I was able to really understand all the different functions and businesses within [a banking] organization. Later on, I became more involved in the management and infrastructure of the company as chief audit executive. It was kind of a natural progression from the control world of internal audit to a broader enterprise-risk view.
Internal audit seemed to be a logical training ground for a chief risk officer because there’s probably no one who has a better view of the entire organization than the internal audit team. It’s their job to poke into everything. Are there other disciplines within the bank that could also be good training ground for CROs? Bilko: I would say that beyond internal audit, there’s certainly other skills that will add to the versatility. Technology, data management and data analytics are such a large part of what we do today?and will be going forward?so there’s a clear need for experience and background in utilizing data to better identify, understand and prevent risk incidents or events. The whole big data thing is important to translate well into the risk management world.
And it will never hurt to live for a little while in the credit space, particularly if you’re doing some credit analysis, or you’re supporting a lending activity, where you get to understand the underwriting criteria and loan portfolios.
As bank leaders explore different avenues for growth, they must also weigh the risks that could threaten their institution. In this panel discussion from Bank Director’s 2016 Bank Audit & Risk Committees Conference, led by President & CEO Al Dominick, Dale Gibbons of Western Alliance Bancorp., Lynn McKenzie of KPMG and Bill Fay of Barack Ferrazzano Kirschbaum & Nagelberg focus on the key issues that bank boards and executive teams need to address, from third-party vendor risk to strategic growth.
There are many challenges that bank boards and executives must address. Bank Director President Al Dominick briefly reviews current issues that demand attention and emerging ones highlighted at Bank Director’s Bank Audit and Risk Committees Conference in Chicago June 11-12.
“I know what many of you are thinking. You’re thinking, ‘This man is duplicitous. You’re thinking that he has held things close to his chest. You’re thinking that he did not respond fully to the desires and wishes of the American people. And I want to tell you ‘you’re wrong.’” –Robert S. McNamara in “The Fog of War,” a documentary.
Defense Secretary Robert McNamara made a lot of unfortunate decisions during the Vietnam War, depicted in the 2003 documentary, “The Fog of War.” Some of the battles that banks face are obviously not as horrifying as an actual war. But they do involve a great deal of money. And any decisions involving a great deal of money require a great deal of care. Banks and their customers are under increasing attack by highly sophisticated cyber criminals successfully stealing confidential information and hundreds of millions or even billions of dollars. (There is no comprehensive official number or record keeping.) Bank boards are trying to figure out how to respond and what to do to provide proper oversight of their security apparatus.
“In terms of cyber crime, a lot of us think it’s going to get worse before it gets better,” said Ken Jones, director of fraud risk management at the consulting firm KPMG, speaking to an audience of about 300 people at Bank Director’s Bank Audit & Risk Committees Conference in Chicago recently. “The (community banks) here are absolutely a focus of the international cyber criminals.”
While some vendors may have a personal interest in terrifying you, it was clear to me that many bank directors in the audience are very concerned about cyber attacks and whether their banks are adequately addressing the problem. Is your bank staff staying abreast of threats, using security software the way it was intended and keeping a keen eye on your IT vendors? Other threats that could prove to be very costly in the years ahead include:
Interest rate risk. Many banks are extending credit at a fixed rate of interest for longer terms in an effort to compete and generate much-needed returns. This will be a problem for some of them when interest rates rise and low cost deposits start fleeing for higher rates elsewhere. You could assume the asset/liability equation will equal out, but will it? Steve Hovde, president and CEO of the investment bank Hovde Group in Chicago, is worried about financial institutions taking on too much interest rate risk, as he has seen credit unions offer 10- or 15-year fixed-rate loans at 3.25 percent interest. “I’m seeing borrowers get better deals with good credit quality than they have ever gotten in history,” he said at the conference.
Reputation risk. In the age of social media, anyone can and does publicize to hundreds of friends any complaint against a bank. Cyber attacks, such as the one that befell Target Corp., can be devastating and cost the CEO his or her job. Rhonda Barnat, managing director of The Abernathy MacGregor Group Inc., says it’s important not to give TV news an incentive to do a story, such as telling a reporter that your employee’s laptop was stolen at a McDonald’s with sensitive customer information, prompting a visit by the camera crew to the McDonald’s. As of now, there is no requirement to publicly disclose the number of records stolen, so public relations firms such as The Abernathy MacGregor Group urge circumspection. Disclosing a theft, but not disclosing how many customer records were stolen, could keep you off the front page of the local newspaper. Focus on the people who matter most: your customers, investors and possibly, your regulators. They want to know how you are going to fix the problem.
Compliance risk. Regulators are increasingly breathing down the necks of bank directors, wanting evidence that the board is actively engaged and challenging management. The official minutes need to reflect this demand, without necessarily going overboard with 25 pages of detailed discussion, for example. Local regulators are increasingly deferring questions to Washington, D.C., where they can get stuck in limbo. When regulators do give guidance, it is often only verbal rather than written and can cross the line into making business decisions for the bank, said Robert Fleetwood, a partner at Barack Ferrazzano in Chicago. In such an environment, it’s important to have good relations with your regulators and to keep them informed.
*Thanks to Wintrust Financial Corp.’s audit committee Chairman Ingrid Stafford for giving me an idea for the title of this article, if not the actual article.
The focus on the board’s role in managing risk has certainly been in the spotlight in the years following the financial crisis, with the regulatory bar raised regarding risk governance. While publicly traded institutions with more than $10 billion in assets are specifically required to establish separate risk committees of the board, many smaller banks are doing so as well. In March, Bank Director’s 2014 Risk Practices Survey found that more than half of institutions with between $1 billion and $5 billion in assets and 76 percent of those with between $5 billion and $10 billion in assets now govern risk within a separate committee. Data for institutions with less than $1 billion in assets was not collected.
When does a bank need a separate board-level risk committee? Despite the rising popularity of risk committees, many community banks have not taken this approach, but instead govern risk in the audit committee or as an entire board.
Regardless of size, banks with a more complex risk profile have a greater need to govern risk within a separate board-level committee. Not only does a more complex organization intrinsically have a more complex risk profile, its audit committee will be more heavily tasked, leaving less time to devote to risk management matters. In that situation, “the best case scenario is to have two separate committees,” says Jennifer Burke, partner at accounting and consulting firm Crowe Horwath LLP.
Jim McAlpin, partner at Bryan Cave LLP, believes it best to separate risk and audit responsibilities if the bank has qualified directors for both committees. “Not all boards have qualified directors for this,” he says. “Unless you have adequate capability on the board, it’s not helpful to have both committees.”
The ability of the board to place appropriate members on a risk committee is important, and having those skills mirror that of the bank’s audit committee may not be the best approach. The risk analysis process focuses on more than just financial risk and requires directors who can anticipate a variety of problems that could be faced by the institution. “It’s good to have directors with a compliance or risk background that are used to thinking outside of the box. The most beneficial aspect of the risk committee is anticipation,” he says. “The board can charge management to focus on areas where risks appear to be developing.”
He sees more banks bringing in new directors with these skills, and there is no shortage of qualified candidates. That said, larger institutions can better attract directors from outside the community and recruit for these skills, so risk and compliance expertise may not be found on the boards of smaller, less complex banks. “So far, the regulators understand this,” says McAlpin.
Generally, the more complex an organization is, the more likely the regulators will be to urge the establishment of a stand-alone risk committee. McAlpin recommends that a board look at how many different business lines the bank has, particularly in consumer-facing areas like mortgage lending. Over the past two years, scrutiny by the regulators on consumer compliance has grown significantly, he says, resulting in greater risk to the bank regarding these issues. Further risk analysis may also be required if the bank is involved in business lines that regulators deem to be unique or cutting edge.
The maturity of the bank’s risk management program could also dictate whether the bank is ready to establish a separate risk committee.
Crowe Horwath Partner Mike Percy says that a more mature and developed enterprise risk management (ERM) program will allow the board to better assess and monitor risk. Without the robust set of information provided through a mature ERM program, a risk committee won’t have much to contribute. “If you lead with [the risk committee] before the processes are mature, I think it just frustrates” board members, he says.
But McAlpin can see how a risk committee could precede development of an ERM program or the hiring of a chief risk officer. “The risk committee could be the body to take the steps of driving the hire of risk personnel or implementation of ERM,” he says.
A bigger bank is, typically, a more complex one, so banks with plans to grow, whether through organic means or by acquisition, may consider beefing up their approach to risk governance. Percy says that some regulators, notably the Office of the Comptroller of the Currency, consider risk committees to be a best practice for institutions approaching $10 billion in assets.
Burke says that a bank’s growth strategy should be considered when a board makes a decision to have a risk committee, and for those with a more aggressive growth plan a risk committee is a best practice. “You’re making changes, you’re growing [and] your strategy is different from what it’s been in the past,” says Burke.
Growth typically results in additional personnel, business lines and assets, particularly as the result of a merger, which could lessen the certainty that the board knows everything they need to know, says McAlpin.
“An acquisition strategy is just an additional complexity,” adds Percy. Banks with an eye to grow, particularly those above $1 billion in assets, need the infrastructure in place to support a larger organization, which could include a chief risk officer, an ERM program and a board-level risk committee.
“This side of the banking crisis, the attention to risk is greater than it was,” says Percy. Whether governed within a separate risk committee, combined with audit responsibilities or addressed as a full board, the board, along with senior management, is responsible for setting the tone for risk governance.
The Financial Stability Board, an international regulatory agency based in Basel, Switzerland, released guidance in April (“Guidance on Supervisory Interaction with Financial Institutions on Risk Culture”) that details the elements of a sound risk culture within a financial institution. Though primarily intended for an audience of large, systemically important institutions, this report provides some basic tenets that can be applied to institutions of all sizes. A key element of a sound risk culture that is perhaps the most applicable to bank directors is the establishment of an “effective system of controls commensurate with the scale and complexity of the financial institution.”
In addition to a mature ERM program, this system of controls would include proper oversight by the board. McAlpin recommends that boards work with senior management to determine what areas of risk require the board’s focus. Independent analysis should play a role in these decisions. “If the board relies only on senior management, that’s a big mistake,” he says.
Enterprise Risk Management (ERM) is a hot news item. Everyone is writing about it—from the Harvard Business Review, to regulatory examiners guidance, to consulting firms, to The New York Times.ERM seems to be the newest panacea created to protect the financial markets from themselves. However, it isn’t a magic pill. Nor is it as simple as implementing a policy or assigning responsibilities to one individual and yielding immediate success and benefits. It is an all-encompassing cultural shift—where an institution’s management and employees embrace the concept that the institution has risks and that the internal identification of those risks, by everyone at every level of the institution, is key to the proactive management of the institution’s risks.
A recent Deloitte study defined a successful ERM program as follows:
[A]n ERM program is meant to set the overall framework and methodology for how a company manages risks. ERM provides an institution with the tools to clarify its risk appetite and risk profile, and to evaluate risks across the organization. By adopting a comprehensive approach to risk identification and assessment, ERM can help identify many dependencies or interrelationships among risks that might otherwise go unnoticed.
When building an ERM program, the focus should be on providing executive management and the board of directors the information they will need to guide their institution towards longer-term strategic goals.
Benefits an Effective ERM Program
As the familiar saying goes, “knowledge is power.” The board has a responsibility to safely guide and provide the necessary oversight to ensure that the strategic plan of the institution is successfully achieved. A comprehensive ERM program should provide the board and executive management with necessary and timely information on the institution’s risks, in order to for them to make decisions and provide proactive supervision.
It should also provide a singular focus on the institution’s risk profile and strategic plan, forging a common direction for the institution’s management team.
Tying ERM to the Institution’s Strategic Direction
To quote a less familiar saying, “[P]ast performance is not indicative of future performance.” Just because examiners have not found a problem does not mean one does not exist, or the environment is not right for something to go wrong in the future. Indeed, authors of “The six mistakes executives make in risk management,” (Harvard Business Review’s) Nassim Taleb, Daniel Goldstein and Mark Spitznagel identify the reliance on past performance as one of the six mistakes executives make in risk management. In our ERM programs, we need to focus on the future likelihood and impact of a risk.
We know intuitively that just because a person crosses a road blindfolded 10 times without being hit by a car, does not mean this success will continue. Many factors besides past performance will play into future performance. Just for a moment, think about what would happen to this person if he or she continued to cross that road blindfolded because there had been no issues in the past? How complicit would you be in the ultimate result if you failed to point out that in the past this person was crossing the road at midnight, and he or she was now getting ready to cross at rush hour? The blindfolded person did not have the necessary information to make an informed decision. Effective ERM can provide that information from which informed decisions can be made about future risks and strategic impact.
There are many situations like crossing a road blindfolded that we instinctively know are risky. However, there are many circumstances where the impact of risks is not immediately apparent, making them harder to tease out. As a board member, you must be provided with the necessary information and data to holistically understand the interconnectivity of risks and the impact of individual risks on the overall risk picture. Sponsoring an ERM program that is built around a singular framework tied to the strategic plan and risk appetite, as opposed to reviewing risk reports individually by risk discipline, will provide you with the information in a way that can be easily and systematically included in the strategic planning process. It may be a data challenge at first, but one that will reap huge rewards when you have consistent information to serve as a foundation for decision-making.
The success of an ERM program is driven in large part by board support. When board members expect ERM efforts to focus on longer-term strategic plans and the success of the institution, they foster a coalition of support for building an effective ERM program. Employees and management participate more readily in efforts to collect complete, reliable, current data that will ultimately allow the board to provide the necessary guidance and oversight for the institution.
If you take this strategic approach to ERM, risk management can provide that long-term check on potential short-term operational decisions and shift the culture so that meeting long-term strategic objectives while staying within the risk appetite is intuitive. This approach will make ERM an integral part of the success of the business, and more importantly, may provide that “panacea” that people are looking for.
What ERM Is Not
It is equally important to understand what an ERM program is NOT. If the following are in place at your institution, you should NOT mistake them for a comprehensive, proactive, ERM program similar to the one identified by the Deloitte definition:
Risk-based audit plan
Compliance testing program
Disaster planning program
ALCO (asset-liability) committee
SOX (Sarbanes-Oxley) compliance program
Checks and procedures in place solely to meet regulatory requirements with no connection to strategic planning
Individual risk assessments for requirements such as BSA (Bank Secrecy Act), fair lending, security, etc.
Individually, none of these represent an ERM program. However, when aggregated in a common framework across all risk disciplines with a singular goal, they become the basis for a solid ERM program.
It is not enough to just identify your risks. You also need a way to understand the impact of these risks on the organization, consistently across risk disciplines and across business lines. To understand impact, you need to be able to measure, compare and prioritize individual risks regardless of whether they are an IT risk or a liquidity risk.
If every risk discipline had its own processes, definitions and best practices it would be almost impossible to understand the true risk of an activity/decision/product. Different reporting structures, definitions and even color indicators can make it difficult for the board to compare a highlighted risk from the ALCO committee to another raised by the audit committee, for example.
It will likely be difficult to create a framework that is consistent yet flexible enough to apply to multiple unique risk disciplines.However, support from the board and a tie-in to the strategic plan and risk appetite will help push this forward.
While it may be difficult to create a consistent framework for uniformly tracking risks across disciplines, what have been consistent are regulators’ expectations that such a framework be in place. Regulators are now regularly asking questions to determine whether an ERM program is a “true” ERM program. They want to know whether an ERM program spans all risk disciplines and accounts for the interconnectivity between the different risk disciplines and individual risks. Creating this type of program does not happen overnight.There are many issues that need to be dealt with to be able to operate within a singular framework. The board should require risk discipline owners to develop and report through a singular framework. This framework needs:
Consistent definitions and language
Unvarying scoring/rating definitions (i.e., a $10,000 impact and a $1,000,000 impact should probably not have the same coding in reports just because one comes from finance and the other from compliance)
Common formats for assessing risk to make it easier for the business owners
Ability to know if an information technology risk is also a compliance, strategic and operational risk, to better understand the true impact to the institution.
The Deloitte study found that the biggest impediments to thoroughly implementing an ERM program are gathering and managing data across the institution through the use of a consistent frameworkand embedding the processes, data and framework into the everyday workings of an organization.
The essential essence of the culture shift is this: Embedding risk-reduction processes into day-to-day business activities as opposed to thinking about potential risks.Enhanced reporting on risk-related data supports this goal and is imperative for decision making and supporting strategic planning.To get to this data, and for it to make any sense, it is important that all risk disciplines are utilizing the same risk management framework. If different frameworks are used, several things can happen. First, individuals can spend days or their whole job just transforming data and creating reports. Second, decisions could be made based on data that appear to be comparable, but due to definitional and scoring issues are not. Neither is effective or efficient.
What to Do Next
Currently the “accepted” theory on risk management is that it needs to be a “top-down” approach. The board and executive management must discuss and agree on a business strategy and a risk appetite. Then this information is “pushed down” into the organization through “control groups” like ERM, compliance, EM, etc. While ERM needs to start at the top, it cannot be “pushed down” until there is a cultural shift within the organization that alters the mindset of the entire organization regarding the role of risk management.
This is most successful when implemented as a circular process, where each individual is important and responsible for understanding and managing risks. The board and executive management need to say that risk management is important, define the risk appetite, provide investment where necessary to reduce risks, and make it apparent that they view ERM as everyone’s job, not just the job of the chief risk officer.The risk discipline leaders need to translate this risk appetite, create a process to identify and assess risks and work directly with the various operating divisions to evaluate how their businesses and decisions compare to that risk strategy. Decisions are made continuallybased on this information. The risk staff report back to the board and executive management on the program and overall institutional risk, which rounds out the process.
Step 1:Review, update, and approve strategic plan
Step 2:Work with executive management and risk leaders to ensure strategic plan is translated into risk appetite statement that the board approves.
Step 3:Ensure the risk discipline leaders, not just executive management, understand both the strategic plan and the risk appetite.
Step 4:Ask the risk discipline leaders and ERM (if you have a designated individual) to demonstrate that the ERM and individual risk programs have incorporated your strategic plan and risk appetite into their programs.
Step 5:Risk discipline leaders should present a singular framework for future ERM reporting to the board.
Step 6:Conduct a brainstorming session that identifies emerging or major risks that could keep the institution from meeting strategic objectives. ERM incorporates this into risk assessment program.
Step 7:Reporting is updated and augmented to ensure that the board understands the highest profile risks, how they interconnect between the different risk types, their potential impact to the institution, and mitigation plans and responsibilities, etc.
“New Language” and Your Questions to Ask
Key Risk Indicators (KRIs):Ratios or data points that alert you to potential problems/risks that should be investigated.
Key Performance Indicators (KPIs): Ratios or data points that help you measure the success of the institution’s ERM program and/or strategic plan implementation.
Inherent Risk: The base risk that exists by being in business, without your institution’s programs or controls in place. It is beneficial for the board to understand which risks have very high inherent risk so that they can ensure the proper resources are allocated to control those risks.
Residual Risk: The controlled risk that exists after taking into account your ERM and other management programs. In most cases this is the most important “score” for the board to review and understand.
Risk Disciplines: A generic term for IT, audit, compliance, operational, PR, finance/treasury and other operational areas that actively manage the institution’s risk profile.
Risk Assessment: The process to identify and score the impact of a risk happening and the likelihood that it will.
Risk-Based Audit: An overall understanding of the risks of an institution so that an audit calendar can be created that focuses audit resources on the highest areas of risk for the institution.
Compliance Risk Assessments (BSA, Fair Lending, etc.): Detailed risk assessments that are required by regulation and/or law on a specific topic defined by a regulation.
We have a risk management program in place. How does the board know if the program is providing timely, valuable information upon which informed decisions can be made?
Are your bank’s strategic plan and risk appetite statements driving your ERM program, or does it seem to be an exercise in regulatory paperwork?
Are your auditors auditing your ERM program or performing your risk management function? If they are performing it, who is auditing it?
Have you correlated any of the risks and understand the overall impact of a singular risk to your institution regardless of whether it is IT, compliance, finance, etc?
Risk Scoring/Reporting reports
What does “red,” “4,” “high risk” really mean?
How does your program remove “high risks” from the reports?
Are people/divisions penalized for noting a “high risk”?
Do we have any key risk indicators that tell us we may need to become more concerned with these risks?
How do these ratings translate into “impact” to the institution (i.e., not achieving our strategic plan or going outside of our risk appetite)?
Who manages the medium or low risks to ensure they don’t become high risks?
How often do you update your risk scoring? (Annually is typically good for community banks.)
Who participated in the scoring of the risks? (More than the person responsible for the risk should be involved in scoring.)
Day-to-Day Management Questions
Is the business leader held responsible for the risks in their business?
Do your risk discipline leaders work together to identify, assess and manage risk across the institution?
Does all management take the risk assessment and management process seriously and consider it part of their job?
If issues (surrounding key risks) are identified and action plans put in place, do we hit our dates and have involvement by the entire team necessary to act?
Are the proper resources allocated to ensure the institution can manage ERM and provide relevant data to the appropriate individuals for decision making?