When to Form a Risk Committee

Should your board form a standing risk committee — and how will you know that the time is right?

Federal law requires all depository institutions to establish a standing board-level risk committee once they reach $50 billion in assets. The requirement dates back to the passage of the Dodd-Frank Act in 2010; the original asset threshold was set at $10 billion but raised to $50 billion when some of Dodd-Frank’s provisions were relaxed in 2018.

Not every bank waits until it reaches $50 billion to form a risk committee. Many boards make that decision when their bank is much smaller, generally in reaction to its growing size and complexity. In my experience, smaller banks tend to handle risk oversight through their audit committee. But as a bank grows by expanding geographically, adding new business lines or diversifying its loan portfolio — and sometimes doing all of these things at once — its risk profile changes. There is simply more to keep track of — more that can go wrong — and it becomes appropriate to assign the job of risk oversight to a dedicated committee.

In my opinion, once a bank becomes large and complex enough that risk oversight shouldn’t be juggled with audit committee issues like overseeing the external audit or ensuring the integrity of the bank’s financial statements (if it’s a public company), having a dedicated risk committee becomes a best practice.

“When the materials, when the content, when the conversations get more complex and more involved — that’s when I tend to see audit committees split apart into a pure audit committee and a board risk committee,” says Ryan Luttenton, a partner at the consulting firm Crowe LLP. “It’s when the complexities of the institution become a little more challenging to manage in the context of just one meeting. When you start to push things into consent agendas, and you’re approving things and the list starts to grow and grow, it becomes a question of, are we doing a disservice to the institution by not having more constructive discussions around risk and strategy in a risk committee?

BankNewport, a $2.3 billion mutual bank subsidiary of OceanPoint Financial Partners, opted to form a risk committee in 2016 when it was just $1.4 billion. According to risk committee chair James Wright, the Newport, Rhode Island-based bank was beginning to expand beyond Aquidneck Island, an island in Narragansett Bay that contains Newport and surrounding towns, to the rest of Rhode Island. The bank was also beginning to expand its lending focus to include commercial real estate, an inherently riskier asset class.

Previously, the BankNewport board had not assigned risk oversight to its audit committee, but instead handled it in a compliance and trust committee. The board ended up reconstituting that committee as a standing risk committee. “I think it was a variety of things that led us to doing that,” says Wright. “Our credit portfolio was shifting from more of a residential focus to more commercial. It wasn’t dramatic, but the balance was starting to shift. We were taking on more of a geographic footprint. It really was time to create a more enterprise-wide, strategically focused risk committee that would look at all risk as connected entities.”

There are seven members on the bank’s risk committee, including the board chair and CEO, and it meets quarterly. Around the same time that it created the committee, BankNewport also hired its first chief risk officer to build out a more comprehensive, enterprise-wide risk management process at the bank level. Wright believes the board’s decision to form a risk committee, combined with stronger risk management practices at the bank level, has greatly improved the quality of its risk oversight. “Now, there’s a more centralized place for everyone to go and say, ‘What are we doing about this? What are our protections? What are our proactive measure we’re taking on these things?’”

Another bank that made a decision to bring a sharper focus to risk governance is Glacier Bancorp, a $21.3 billion asset regional bank in Kalispell, Montana. According to committee chair Annie Goodwin, the bank had approximately $5 billion in assets when it formed a risk oversight committee in 2012. Obviously, this was well under the $10 billion threshold that had been established by Dodd-Frank, but the bank wanted to be ready when it got there.

Even though we’re not at the $50 billion asset threshold presently … our board has made the decision to maintain the risk oversight committee,” Goodwin says. Nine of Glacier’s 11 directors sit on the committee, and its risk oversight officer reports directly to the committee and provides it with monthly reports.

“The risk oversight committee provides a disciplined structure to ensure that we are conducting enterprise risk management in a comprehensive manner,” says Goodwin. “So many areas of the bank’s functions and operations are encompassed in the oversight of our committee that I don’t think our board could ever go back and not have a risk oversight process again.”

Although bank regulators rarely mandate that banks below the $50 billion threshold form a risk committee, they often begin to have conversations with banks under their supervision about adopting more robust enterprise risk management practices at the bank level when they approach the $5 billion mark, according to Luttenton. “And then, as you get to $8 billion, what I hear from my clients and feedback from some of the regulators is that they kind of come in and do a light touch,” he says. “They start to set some expectations around enterprise risk and things like model risk management and vendor management.” Regulation generally becomes tougher when a bank passes the $10 billion mark, and the regulators want a strong risk management program in place by then.

And if the bank is beefing up its risk management policies and practices at the bank level, it may make sense for the board to focus its risk governance efforts in a dedicated committee.

Goodman is a former regulator who served as Montana’s Commissioner of Banking and Financial Institutions from 2001 to 2010. She believes that even small community banks can benefit from bringing a more focused approach to risk governance by setting up a dedicated committee.

“For all banks that are sitting on the sidelines with whether or not they should implement an enterprise risk management committee, my advice is to get started soon,” she says. “And even if it’s a very simple process, it’s always easier to implement a program when the bank is small, rather than waiting until it gets much larger in asset size and much more complex in its operations. I think even with a smaller community bank, enterprise risk management can get into the board’s DNA, their way of thinking that prepares them for the future and to help the bank with its long-term success.”

Brian Nappi, a senior manager at Crowe, says directors are often bogged down under the weight of too much information. “If I’m sitting on a risk committee and I have to look at more than nine pages to understand where we are, then we’re not good communicators,” he says. The first page should have four things, Nappi says: the risk appetite statement compared to the bank’s risk profile at the end of every quarter; the top three to five risks facing the bank; management’s response to those risks; and the top two or three emerging risks. The remaining eight pages should contain a variety of risk data if the committee members want to drill down deeper, he adds.

Generally speaking, risk committees should be forward-looking in their focus, while audit committees naturally look backward. This is why handling risk in the audit committee is something of a philosophical disconnect. When a bank forms a risk committee after its audit committee has been handling risk oversight, the audit committee still plays an important role in verifying that the bank’s various risk management policies are being followed.

“The focus for audit committees is on internal controls — which controls are working, and which ones are broken,” says Nappi. “Risk committees, their focus should be on what’s the highest residual risk [facing] the institution, and what [is] management’s response to those risks.”

You can view a sample risk committee charter here, part of our Board Structure Guidelines, which describe committee functions, structure and compensation, as well as board roles. These resources are available exclusively to Bank Services members.

The Most Effective Bank Directors Share These Two Qualities

director-6-14-19.pngBanks have a slim margin for error.

They typically borrow $10 for every $1 of equity, which can amplify any missteps or oversight. Robust oversight by a board of directors, and in particular the audit and risk committees, is key to the success of any institution.

“At the Federal Reserve Bank of Kansas City, we have consistently found a strong correlation between overall bank health and the level of director engagement,” wrote Kansas City Fed President Esther George in the agency’s governance manual, “Basics for Bank Directors.” “Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors.”

This may sound trite, but the strongest bank boards embrace a collective sense of curiosity and cognitive diversity, according to executives and directors at Bank Director’s 2019 Bank Audit & Risk Committees Conference in Chicago.

Balancing revenue generation against risk management requires a bank’s audit and risk committees to invite skepticism, foster intelligent discussion and create a space for constructive disagreements. Institutions also need to remain abreast of emerging risks and changes that impact operations and strategy.

This is why curiosity, in particular, is so important.

“It’s critical for audit committee members to have curiosity and a critical mind,” says Sal Inserra, a partner at Crowe LLP. “You need to ask the tough questions. The worst thing is a silent audit committee meeting. It’s important to be inquisitive and have a sense of curiosity.”

Board members who are intellectually curious can provide credible challenges to management, agrees John Erickson, a director at Bank of Hawaii Corp.

Focusing on intellectual curiosity, as opposed to a set of concrete skills, can also broaden the pool of individuals that are qualified to sit on a bank’s audit and risk committees. These committees have traditionally been the domain of certified public accountants, but a significant portion of audit committee members in attendance at the conference were not CPAs.

Robert Glaser, the audit committee chair at Five Star Bank, sees that diversity of experience as an advantage for banks. He and several others say a diversity of experiences, or cognitive diversity, invites and cultivates diversity of thought. These members should be unafraid to bring their questions and perspectives to meetings.

Having non-CPAs on the audit committee of Pacific Premier Bancorp has helped the firm manage the variety of risks it faces, says Derrick Hong, chief audit executive at Pacific Premier. The audit committee chair is a CPA, but the bank has found it “very helpful” to have non-CPAs on the committee as well, he says.

Audit and risk committee members with diverse experiences can also balance the traditional perspective of the CPA-types.

It’s important [for audit committee members] to have balance. Bean counters don’t know everything,” says Paul Ward, chief risk officer at Community Bank System, who self-identifies as a “bean counter.”

“Some of the best questions I’ve seen [from audit committee members] have come from non-CPAs,” Ward says.

However, banks interested in cultivating intellectual curiosity and cognitive diversity in their audit and risk committees still need to identify board members with an appreciation for financial statements, and the work that goes into crafting them. After all, the audit committee helps protect the financial integrity of a bank through internal controls and reporting, not just reviewing financial statements before they are released.

Executives and board chairs also say that audit and risk committee members need to be dynamic and focus on how changes inside and outside the bank can alter its risk profile. Intellectual curiosity can help banks remain focused on these changes and resist the urge to become complicit.

I’ll be the first to admit that qualities like curiosity and cognitive diversity sound cliché. But just because something sounds cliché, doesn’t mean it isn’t also true.

Two-Thirds of Bank Directors Are Worried About the Same Thing

risk-6-12-19.pngAt around a quarter to seven o’clock on the evening of Saturday, May 11, firefighters showed up at Enloe State Bank in Cooper, Texas, to find a stack of papers on fire on the conference room table.

“We believe it is suspicious,” said the sheriff, “but we don’t have any more information at this point.” Three weeks later, regulators seized the bank “due to insider abuse and fraud by former officers,” according to Texas Banking Commissioner Charles Cooper.

It’s fair to say that Enloe State Bank is an outlier. It was the first bank to fail in a year and a half, in fact. And one can’t help but wonder what would lead someone to set papers ablaze on a conference room table.

Yet, incidents like this are important for bank executives and directors to register, because they underscore the importance of proactive oversight by a bank’s board—especially the audit and risk committees.

“The essence of the audit committee’s responsibilities is protecting the bank,” said Derrick Hong, the chief audit executive at Pacific Premier Bank, at Bank Director’s 2019 Bank Audit & Risk Committees Conference taking place in Chicago this week. “There are so many pitfalls and risks that could potentially take down a bank, so focusing on those things is the key responsibility of the audit committee.”

Admittedly, it seems like an odd time to worry about risk.

Bank capital levels have never been stronger or of higher quality, noted Steven Hovde, chairman and CEO of Hovde Group. Net charge-offs are lower across the industry than they’ve been in decades. And tax reform has catalyzed profitability. Despite narrow lending margins and subpar efficiency, the banking industry is once again earning more than 1 percent on its assets, exceeding the benchmark threshold last year for the first time since the financial crisis.

But it’s in the good times like these that banking’s troubles are sowed.

“You have to be proactive rather than reactive,” said Mike Dempsey, senior manager at Dixon Hughes Goodman LLP. This approach stems from culture, said Dempsey’s co-presenter LeAnne Staalenburg, senior vice president in charge of corporate security and risk at Capital City Bank Group.

“Culture is key,” said Stallenburg. “Having that culture spread throughout the organization is critical to having a successful risk management program.”

To be clear, the biggest threat to banks currently isn’t bad loans. Credit policy isn’t something to ignore, of course, because loan losses will climb when the cycle takes a turn for the worse. But banks have plenty of capital to absorb those losses, and memories of the last crisis are still fresh in many risk managers’ minds.

The biggest threat isn’t related to funding, either. Even though bankers are concerned about large institutions taking deposit market share as interest rates climb, 74 percent of attendees at Bank Director’s Audit & Risk Committees Conference said their institutions either maintained their existing share or gained share as rates inched higher.

Instead, according to conference attendees, the biggest threat is related to technology. When asked which categories of risk they were most concerned about, 69 percent identified cybersecurity as the No. 1 threat.

Vendor relationships only aggravate this concern. As Staalenburg and Dempsey noted in response to an attendee’s question, vendors offer another way for malicious actors to infiltrate a bank.

Even though we are in a golden age of banking, Hovde emphasized, now is not the time for a bank’s board, and particularly its audit and risk committees, to be complacent.

“Generally, we have seen that the institutions that are well run and have fewer problems are under the oversight of an engaged and well-informed board of directors,” wrote Kansas City Federal Reserve President Esther George in the Fed’s governance manual, Basics for Bank Directors. “Conversely, in cases where banks have more severe problems and recurring issues, it is not uncommon to find a disengaged board that may be struggling to understand its role and fulfill its fiduciary responsibilities.”

An Easy Way to Lose Sight of Critical Risks

audit-6-7-19.pngLet me ask you a question…

How does the executive team at your biggest competitor think about their future? Are they fixated on asset growth or loan quality? Gathering low-cost deposits? Improving their technology to accelerate the digital delivery of new products? Finding and training new talent?

The answers don’t need to be immediate or precise. But we tend to fixate on the issues in front of us and ignore what’s happening right outside our door, even if the latter issues are just as important.

Yet, any leader worth their weight in stock certificates will say that taking the time to dig into and learn about other businesses, even those in unrelated industries, is time well spent.

Regular readers of Bank Director know that executives and experienced outside directors prize efficiency, prudence and smart capital allocation in their bank’s dealings.

But here’s the thing: Your biggest—and most formidable—competitors strive for the same objectives.

So when we talk about trending topics at this year’s Bank Audit and Risk Committees Conference, hosted by Bank Director in Chicago from June 10-12, we do so with an eye not just to the internal challenges faced by your institution but on the external pressures as well.

As we prepare to host 317 women and men from banks across the country, let me state the obvious: Risk is no stranger to a bank’s officers or directors. Indeed, the core business of banking revolves around risk management—interest rate risk, credit risk, operational risk.

Given this, few would dispute the importance of the audit committee to appraise a bank’s business practices, or of the risk committee to identify potential hazards that could imperil an institution.

Banks must stay vigilant, even as they struggle to respond to the demands of the digital revolution and heightened customer expectations. I can’t overstate the importance of audit and risk committees keeping pace with the disruptive technological transformation of the industry.

That transformation is creating an emergent banking model, according to Frank Rotman, a founding partner of venture capital firm QED Investors. This new model focuses banks on increasing engagement, collecting data and offering precisely targeted solutions to their customers.

If that’s the case—given the current state of innovation, digital transformation and the re-imagination of business processes—is it any wonder that boards are struggling to focus on risk management and the bank’s internal control environment?

When was the last time the audit committee at your bank revisited the list of items that appeared on the meeting agenda or evaluated how the committee spends its time? From my vantage point, now might be an ideal time for audit committees to sharpen the focus of their institutions on the cultures they prize, the ethics they value and the processes they need to ensure compliance.

And for risk committee members, national economic uncertainty—given the political rhetoric from Washington and trade tensions with U.S. global economic partners, especially China—has to be on your radar. Many economists expect an economic recession by June 2020. Is your bank prepared for that?

Bank leadership teams must monitor technological advances, cybersecurity concerns and an ever-evolving set of customer and investor expectations. But other issues can’t be ignored either.

At our upcoming event in Chicago, the Bank Audit and Risk Committees Conference, I encourage everyone to remember that minds are like parachutes. In the immortal words of musician Frank Zappa: “It doesn’t work if it is not open.”

Here’s What Bankers Are Asking About Risk Committees

committee-6-13-18.pngOne of the central topics of conversation at this week’s Bank Audit & Risk Committees Conference hosted by Bank Director in Chicago is whether a bank’s board of directors should have a risk committee separate from its audit committee. And for banks that have already established a risk committee, the question is what responsibilities should be delegated to it.

In one respect, the question of whether a bank should establish a risk committee seems easy to answer because it’s clearly delineated in the regulations. Under the original Dodd-Frank Act of 2010, banks with more than $10 billion in assets are required by law to have one, though that threshold was raised to $50 billion in legislation enacted last month designed to ease the burden of the post-financial crisis regulatory regime on smaller banks.

There is a general consensus among attendees at this year’s conference that a bank shouldn’t base its decision to establish a risk committee solely on a size threshold. “Now that we have a risk committee, I don’t know how we did it without one,” said Tom Richovsky, chairman of the audit committee at United Community Banks, a $12.3-billion bank based in Blairsville, Georgia.

Rob Azarow, a partner at Arnold & Porter, says the decision should be informed by two factors in addition to size. The first is the complexity of a bank, with the presumption being that a bank with a more complex business model should establish a risk committee sooner than a bank with a less complex model. The second factor is dollars and cents—namely, whether a bank has the internal resources at its disposal to essentially split its existing audit committee into two.

It’s worth noting as well, as Azarow points out, that even under the new legislation, the Federal Reserve retains the authority to require a bank to implement a risk committee, irrespective of size. Another point to keep in mind is that even for banks not required as a result of their size to establish a risk committee, once established, it is subject to regulatory oversight.

Approximately half the banks at this year’s Bank Audit & Risk Committees Conference have both types of committees—audit and risk—with many of the others still weighing the pros and cons of establishing both.

Deciding whether to have a risk committee is only half the battle; the other half involves deciding exactly what that committee should do. Should it be vested with all risk-related questions, thereby usurping the authority over those questions from other committees? Or should the other committees retain their authority of relevant risks, while the risk committee then plays the role of overseeing an aggregated view of those risks?

This distinction is clearest in the context of the credit committee, for example. One of the fundamental purposes of a credit committee is to gauge credit risk. It isn’t uncommon, for instance, for a bank to require its credit committee to approve especially large loans. Would the risk committee now handle this?

Generally, the answer is no. The role of the risk committee when it comes to credit risk is broader, focused on concentration risk as opposed to the risk associated with individual credits.

Another place this comes up is in the context of technology and information security. While the audit committee would retain the authority to ensure that current laws, regulations and best practices are being abided by, the risk committee would be more focused on looming threats.

Deciding which responsibilities fall under the risk committee as opposed to, say, the audit and credit committees seems to boil down to the question of whether the issue is backward-looking or forward-looking, tactical or strategic. Issues that are forward-looking and strategic should go to the risk committee, with the rest remaining under the jurisdiction of their home committees.

To be clear, conclusions on when and how to charter a risk committee are far from settled. There are rough best practices, but no overarching consensus in terms of bright lines. Even banks that have established separate risk committees with clearly delineated duties are still in a process of adjustment. They’re happy with their decision to do so, but they recognize that this is more of an evolution than a revolution.

How Union Bankshares Focuses on Risk

risk-management-7-14-16.pngChief risk officers, risk committees and enterprise risk management—which go together like toast, eggs and ham—are still relatively new concepts in banking even though they have been mandated by the Federal Reserve Board since 2014 for institutions of a certain size. Banks with $10 billion in assets or greater are required to have an enterprise-wide risk committee, and banks above $50 billion must also have a chief risk officer. Union Bankshares Corp., a $7.8 billion asset institution headquartered in Richmond, Virginia, has all three. Under the leadership of Executive Vice President and Chief Risk Officer David G. Bilko, the holding company for Union Bank & Trust implemented its ERM program two years ago. Bilko is an enthusiastic supporter of an ERM approach, which he believes provides a clearer, more unified view of the bank’s risk profile than its previous approach, which tended to be fragmented. In an interview with Bank Director Editor in Chief Jack Milligan, Bilko talks about the challenges of implementing an ERM program, among other topics.

Define your role at Union. What are you responsible for?
Bilko: In a nutshell, my responsibility can be boiled down to this: I own the design, implementation and governance of the enterprise risk management program.

We utilize the traditional three-lines-of-defense model. From a risk management perspective, the first line?which is the front line of the business units and support functions, really own and are responsible for managing risk. The second line, which is the ERM function that I manage, provides the program, tools standards and consistent practices that we use to help the first line in their risk management responsibilities. The third line of defense, which is the internal audit function, does the test work to ensure that those things are working properly.

How long has Union had an enterprise risk management program in place? What were some of the big challenges you had to deal with in terms of implementation?
Bilko: We’ve had our ERM program fully in place for about two years now. It took us eight months or so to get the foundation laid and put the elements of the program in motion. We started with more of a top-down approach to make sure we had the right governance structure?the reporting structures to the board and executive management?set up. Concurrently, we implemented what I would call the bottom up part of it, which is the grass-roots risk and control assessment process.

It takes time to get that into motion and by the latter half of 2014, we were finished, or at least established in a consistent fashion. We’ve just continued to build on it from there. It’s really a maturation process. It’s never over. You always have to continue to mature and get better at it.

In terms of challenges, one is awareness. In an organization such as ours, where risk management was more distributed across the organization, we were doing it but it was ad-hoc in nature and not tied together in a central program, or a consistent discipline across the organization.

You have to make people aware of what enterprise risk management is, and what it isn’t, and who’s doing what, and how it’s supposed to work, and what the governing principles are. The awareness piece of it is an educational process that takes time, and is a challenge, in terms of how you go about that.

Which also leads into another challenge, which is role clarity. I mentioned the three lines of defense; people need to know what is expected of them under the program.

ERM gives you a holistic view of risks throughout the enterprise. That sounds like something that’s good to have, but does it really, in a very tangible way, enable management and the board to control risk more effectively than when risk management was siloed—or as you put it, distributed—throughout the organization?
Bilko: In my opinion, it does because it allows you to break down your risks into portfolios that receive very focused attention on a regular basis. There’s constant assessment and identification of risk that leads to control or mitigation, and it all rolls up into a risk profile at the portfolio category level, which would include such risks as credit, market, operational, strategic and reputation, that then can be consolidated into an aggregate portfolio for the institution. We provide quarterly updates on those risk portfolios as well as the aggregate risk profile, so that anything that needs to be addressed is addressed more quickly.

We’re able to get a more forward looking view rather than always looking behind us, which is more of the old way. This is much more dedicated to seeing the train coming at us rather than looking at it right after it’s run over us.

What advice would you give another bank that starting down the path of ERM design and implementation based your experience?
Bilko: First of all, there’s a ton of information and knowledge available today on ERM. You can find whatever you want just by searching the internet, not to mention all the consulting firms that offer advice on it. There’s no shortage of information.

I think the biggest thing you have to do is align the program with your culture. If you do something because it’s traditional, or best practice, but is counter to your culture, it’s going be way more difficult to implement.

One of the things that I focused on here was to make sure I understood our culture, so that we could implement or build a program that was aligned with that, recognizing that culture changes over time.

I also think it’s important to keep it simple so that it’s easier to create and to understand for the people who are involved in it.

What’s your reporting relationship with Union’s CEO, William Beale, and with the board of directors? How do you line up with both of them from a communication and accountability perspective?
Bilko: I report directly to our CEO. He actually sits in the office right next to mine, and he keeps me close by. We talk a lot. He’s very inquisitive and very focused on ERM, and he uses me a lot as a sounding board on a lot of different risk and control issues.

The way we’re set up is, I have a direct reporting line into the CEO and a dotted line into the risk committee of the board. I kind of view it as a triangle: The CEO, the board’s risk committee and myself. We try to keep the triangle intact, and be very transparent with everything we’re doing. I think that’s a good way to do it. The risk committee is very involved in the oversight of the enterprise risk management program. Our CEO’s participation and interaction in my process allows us to be better and more affective in terms of governance reporting and actual practice.

Union has both an audit committee and a risk committee. How has the board divided up risk governance between the two, and how often, and in what way, do you communicate with both committees?
Bilko: The risk committee of the board is charged with the oversight of enterprise risk management. All the elements of that program are under their umbrella, and we report on them. To draw the distinction between the risk and audit committees, I participate in the audit committee meetings just like our chief audit executive participates in our risk committee meetings. There is a lot of sharing going on there and a lot of interaction. I hear what the conversations are within the audit committee realm from a control perspective and risk mitigation perspective. In the same vein our chief audit executive hears that from the risk committee side. There’s a fairly deep connection there.

Additionally, our audit committee and risk committee have a joint meeting once a year where all the directors on those committees are in the same room and we build an agenda that reflects what the risk management program is doing and reporting on, as well as what the audit group is involved with and some of the significant issues that they’re reporting on.

And finally, we have two directors that are on both the audit committee and the risk committee, so there’s that cross-over that’s happening as well.

I wouldn’t characterize it as dividing up risk between the two committees. I would characterize it as more open and broader communication across the committees so that both are aware of what’s going on, what issues need to be discussed, elevated and acted on. The full board is getting the benefits of those reports from both committees, and they’re both in the know.

Regulation becomes much tougher when a bank crosses over the $10 billion asset threshold. My understanding is that the regulators don’t wait until you get there and then suddenly look at you differently. As you get closer to that magic number, they want to know where you’re going as an organization. They want to know what your growth plans are, they want to know where you think the bank might be in five years, and they want you to start building an infrastructure that is scalable and appropriate for a larger bank, even if you haven’t reached that point legally. Is that how it works, in your experience?
Bilko: Yes. The way you described that is pretty spot on. The regulatory agencies, and our primary regulator is the Federal Reserve, want to understand your objectives, your strategies, and if those strategies are growth oriented. We have regular conversations with our counterparts at the Federal Reserve to keep abreast of those types of things and what we can expect. Clearly, it’s a matter of readiness and scalability. If you’re going to grow, you need to be ready to grow. When they talk about it, that boils down to infrastructure and processes that are capable of handling that growth dynamic. It’s something that we’ve certainly experienced over the last few years as we’ve continued to execute our growth strategy.

What do you think that the greatest risk challenges are facing banks today, including Union? What do you worry about most? What would keep you up at night?
Bilko: I get asked that question a lot, actually. I think what’s top-of-mind always?and it seems to be what we read about the most—is the risk associated with technology, vulnerability to data loss, information security, breaches, those sorts of things. We can play defense, but the bad guys are really good at playing offense, so our defense lags. We don’t consider ourselves necessarily to be a prime target, but the effort to keep our data protected is an ongoing imperative.

Process discipline has also become very important. Operationally, we want to be very sure that we have appropriately determined the risk around our processes, and that they are controlled adequately and are kept up to date. Typically, where you have gaps in your processes is where you have breakdowns.

I would summarize by saying that a lot of risk management is change management?adapting your risk practices to the constant changes that are occurring. We live in a rapidly changing world, both regulatory and otherwise, and we have to be able to adapt quickly.

What’s your professional background, and what path did you follow to become a chief risk officer?
Bilko: I have spent my entire career in banking, at both big banks and small banks. I worked for a couple years in retail banking, and then a couple of years in the support group for lending. But up until about the last six years, most of my career has been spent in internal audit. I have been involved with, or at least got to see and learn, just about every aspect of the business, and every area within the institution. It created a broad view for me, of how how things run and what makes these banking organizations tick.

Over the course of time, I was able to really understand all the different functions and businesses within [a banking] organization. Later on, I became more involved in the management and infrastructure of the company as chief audit executive. It was kind of a natural progression from the control world of internal audit to a broader enterprise-risk view.

Internal audit seemed to be a logical training ground for a chief risk officer because there’s probably no one who has a better view of the entire organization than the internal audit team. It’s their job to poke into everything. Are there other disciplines within the bank that could also be good training ground for CROs?
Bilko: I would say that beyond internal audit, there’s certainly other skills that will add to the versatility. Technology, data management and data analytics are such a large part of what we do today?and will be going forward?so there’s a clear need for experience and background in utilizing data to better identify, understand and prevent risk incidents or events. The whole big data thing is important to translate well into the risk management world.

And it will never hurt to live for a little while in the credit space, particularly if you’re doing some credit analysis, or you’re supporting a lending activity, where you get to understand the underwriting criteria and loan portfolios.

Taking on the Toughest Challenges

As bank leaders explore different avenues for growth, they must also weigh the risks that could threaten their institution. In this panel discussion from Bank Director’s 2016 Bank Audit & Risk Committees Conference, led by President & CEO Al Dominick, Dale Gibbons of Western Alliance Bancorp., Lynn McKenzie of KPMG and Bill Fay of Barack Ferrazzano Kirschbaum & Nagelberg focus on the key issues that bank boards and executive teams need to address, from third-party vendor risk to strategic growth.

Highlights from this video:

  • Top Issues for Audit & Risk Committees
  • Aligning Growth Strategy & Risk
  • Evaluating Partnership Opportunities
  • Addressing Technology & Cybersecurity as a Board

Fog of War: Serving on a Bank Board

fog.jpg“I know what many of you are thinking. You’re thinking, ‘This man is duplicitous. You’re thinking that he has held things close to his chest. You’re thinking that he did not respond fully to the desires and wishes of the American people. And I want to tell you ‘you’re wrong.’”
–Robert S. McNamara in “The Fog of War,” a documentary.

Defense Secretary Robert McNamara made a lot of unfortunate decisions during the Vietnam War, depicted in the 2003 documentary, “The Fog of War.” Some of the battles that banks face are obviously not as horrifying as an actual war. But they do involve a great deal of money. And any decisions involving a great deal of money require a great deal of care. Banks and their customers are under increasing attack by highly sophisticated cyber criminals successfully stealing confidential information and hundreds of millions or even billions of dollars. (There is no comprehensive official number or record keeping.) Bank boards are trying to figure out how to respond and what to do to provide proper oversight of their security apparatus.

“In terms of cyber crime, a lot of us think it’s going to get worse before it gets better,” said Ken Jones, director of fraud risk management at the consulting firm KPMG, speaking to an audience of about 300 people at Bank Director’s Bank Audit & Risk Committees Conference in Chicago recently.  “The (community banks) here are absolutely a focus of the international cyber criminals.”

While some vendors may have a personal interest in terrifying you, it was clear to me that many bank directors in the audience are very concerned about cyber attacks and whether their banks are adequately addressing the problem. Is your bank staff staying abreast of threats, using security software the way it was intended and keeping a keen eye on your IT vendors? Other threats that could prove to be very costly in the years ahead include:

Interest rate risk. Many banks are extending credit at a fixed rate of interest for longer terms in an effort to compete and generate much-needed returns. This will be a problem for some of them when interest rates rise and low cost deposits start fleeing for higher rates elsewhere. You could assume the asset/liability equation will equal out, but will it? Steve Hovde, president and CEO of the investment bank Hovde Group in Chicago, is worried about financial institutions taking on too much interest rate risk, as he has seen credit unions offer 10- or 15-year fixed-rate loans at 3.25 percent interest. “I’m seeing borrowers get better deals with good credit quality than they have ever gotten in history,” he said at the conference.

Reputation risk. In the age of social media, anyone can and does publicize to hundreds of friends any complaint against a bank. Cyber attacks, such as the one that befell Target Corp., can be devastating and cost the CEO his or her job. Rhonda Barnat, managing director of The Abernathy MacGregor Group Inc., says it’s important not to give TV news an incentive to do a story, such as telling a reporter that your employee’s laptop was stolen at a McDonald’s with sensitive customer information, prompting a visit by the camera crew to the McDonald’s. As of now, there is no requirement to publicly disclose the number of records stolen, so public relations firms such as The Abernathy MacGregor Group urge circumspection. Disclosing a theft, but not disclosing how many customer records were stolen, could keep you off the front page of the local newspaper. Focus on the people who matter most: your customers, investors and possibly, your regulators. They want to know how you are going to fix the problem.

Compliance risk. Regulators are increasingly breathing down the necks of bank directors, wanting evidence that the board is actively engaged and challenging management. The official minutes need to reflect this demand, without necessarily going overboard with 25 pages of detailed discussion, for example. Local regulators are increasingly deferring questions to Washington, D.C., where they can get stuck in limbo. When regulators do give guidance, it is often only verbal rather than written and can cross the line into making business decisions for the bank, said Robert Fleetwood, a partner at Barack Ferrazzano in Chicago. In such an environment, it’s important to have good relations with your regulators and to keep them informed.

*Thanks to Wintrust Financial Corp.’s audit committee Chairman Ingrid Stafford for giving me an idea for the title of this article, if not the actual article.

Does Your Bank Need a Risk Committee?

5-30-14-emily-DC-risk.pngThe focus on the board’s role in managing risk has certainly been in the spotlight in the years following the financial crisis, with the regulatory bar raised regarding risk governance. While publicly traded institutions with more than $10 billion in assets are specifically required to establish separate risk committees of the board, many smaller banks are doing so as well. In March, Bank Director’s 2014 Risk Practices Survey found that more than half of institutions with between $1 billion and $5 billion in assets and 76 percent of those with between $5 billion and $10 billion in assets now govern risk within a separate committee. Data for institutions with less than $1 billion in assets was not collected.

When does a bank need a separate board-level risk committee? Despite the rising popularity of risk committees, many community banks have not taken this approach, but instead govern risk in the audit committee or as an entire board.

Regardless of size, banks with a more complex risk profile have a greater need to govern risk within a separate board-level committee. Not only does a more complex organization intrinsically have a more complex risk profile, its audit committee will be more heavily tasked, leaving less time to devote to risk management matters. In that situation, “the best case scenario is to have two separate committees,” says Jennifer Burke, partner at accounting and consulting firm Crowe Horwath LLP.

Jim McAlpin, partner at Bryan Cave LLP, believes it best to separate risk and audit responsibilities if the bank has qualified directors for both committees. “Not all boards have qualified directors for this,” he says. “Unless you have adequate capability on the board, it’s not helpful to have both committees.”

The ability of the board to place appropriate members on a risk committee is important, and having those skills mirror that of the bank’s audit committee may not be the best approach. The risk analysis process focuses on more than just financial risk and requires directors who can anticipate a variety of problems that could be faced by the institution. “It’s good to have directors with a compliance or risk background that are used to thinking outside of the box. The most beneficial aspect of the risk committee is anticipation,” he says. “The board can charge management to focus on areas where risks appear to be developing.”

He sees more banks bringing in new directors with these skills, and there is no shortage of qualified candidates. That said, larger institutions can better attract directors from outside the community and recruit for these skills, so risk and compliance expertise may not be found on the boards of smaller, less complex banks. “So far, the regulators understand this,” says McAlpin.

Generally, the more complex an organization is, the more likely the regulators will be to urge the establishment of a stand-alone risk committee. McAlpin recommends that a board look at how many different business lines the bank has, particularly in consumer-facing areas like mortgage lending. Over the past two years, scrutiny by the regulators on consumer compliance has grown significantly, he says, resulting in greater risk to the bank regarding these issues. Further risk analysis may also be required if the bank is involved in business lines that regulators deem to be unique or cutting edge.

The maturity of the bank’s risk management program could also dictate whether the bank is ready to establish a separate risk committee.

Crowe Horwath Partner Mike Percy says that a more mature and developed enterprise risk management (ERM) program will allow the board to better assess and monitor risk. Without the robust set of information provided through a mature ERM program, a risk committee won’t have much to contribute. “If you lead with [the risk committee] before the processes are mature, I think it just frustrates” board members, he says.

But McAlpin can see how a risk committee could precede development of an ERM program or the hiring of a chief risk officer. “The risk committee could be the body to take the steps of driving the hire of risk personnel or implementation of ERM,” he says.

A bigger bank is, typically, a more complex one, so banks with plans to grow, whether through organic means or by acquisition, may consider beefing up their approach to risk governance. Percy says that some regulators, notably the Office of the Comptroller of the Currency, consider risk committees to be a best practice for institutions approaching $10 billion in assets.

Burke says that a bank’s growth strategy should be considered when a board makes a decision to have a risk committee, and for those with a more aggressive growth plan a risk committee is a best practice. “You’re making changes, you’re growing [and] your strategy is different from what it’s been in the past,” says Burke.

Growth typically results in additional personnel, business lines and assets, particularly as the result of a merger, which could lessen the certainty that the board knows everything they need to know, says McAlpin.

“An acquisition strategy is just an additional complexity,” adds Percy. Banks with an eye to grow, particularly those above $1 billion in assets, need the infrastructure in place to support a larger organization, which could include a chief risk officer, an ERM program and a board-level risk committee.

“This side of the banking crisis, the attention to risk is greater than it was,” says Percy. Whether governed within a separate risk committee, combined with audit responsibilities or addressed as a full board, the board, along with senior management, is responsible for setting the tone for risk governance.

The Financial Stability Board, an international regulatory agency based in Basel, Switzerland, released guidance in April (“Guidance on Supervisory Interaction with Financial Institutions on Risk Culture”) that details the elements of a sound risk culture within a financial institution. Though primarily intended for an audience of large, systemically important institutions, this report provides some basic tenets that can be applied to institutions of all sizes. A key element of a sound risk culture that is perhaps the most applicable to bank directors is the establishment of an “effective system of controls commensurate with the scale and complexity of the financial institution.”

In addition to a mature ERM program, this system of controls would include proper oversight by the board. McAlpin recommends that boards work with senior management to determine what areas of risk require the board’s focus. Independent analysis should play a role in these decisions. “If the board relies only on senior management, that’s a big mistake,” he says.