For 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.
Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.
In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.
Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.
Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.
Other key findings:
Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.
To view the full results to the survey, click here.
Cybersecurity: Five Best Practices To Protect Your Bank
Cybersecurity remains a top concern for the bank executives and board members surveyed in Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. What can bank boards do to combat this threat? In this video, Sai Huda of FIS reveals best practices that boards can implement, based on the survey results.
The banking industry has made great strides over the last few years in the management of risk, and a number of important best practices have begun to emerge, according to Bank Director’s 2014 Risk Practices Survey, sponsored by FIS. While the Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers, smaller banks are proactively following suit. By taking a more comprehensive approach to risk management, these institutions are reaping the benefits with improved financial performance.
The 2014 Risk Practices Survey reveals how these banks govern risk, and that a best-practice approach can positively impact financial performance. Creating and properly using a comprehensive risk appetite statement challenges many boards. Many see room for improvement in the quality and comprehensiveness of the bank’s enterprise risk management program. Tying risk management to the strategic plan and measuring its impact on the organization is difficult for many institutions, although those that have tried to measure the risk management program’s impact report a positive effect on financial performance.
Conducted in January, the survey is based on 107 online responses from independent directors and senior bank executives, primarily chief risk officers, of banks with more than $1 billion in assets.
Ninety-seven percent of respondents report that the bank has a chief risk officer or equivalent on staff, and 63 percent oversee risk within a separate risk committee of the board. Moreover, respondents whose banks have a separate board-level risk committee report a higher median return on assets (ROA), at 1.00, and higher median return on equity (ROE), at 9.50, compared to banks that govern risk within a combined audit/risk committee or within the audit committee.
Of those that oversee risk within a separate risk committee, 64 percent of respondents review the bank’s strategic plan and risk mitigation strategies, while the remaining 36 percent do not yet do so.
Tools like the risk appetite statement, the enterprise risk assessment and risk dashboard aren’t fully used. Only one-third of respondents feel that the bank’s risk appetite statement covers all the risks faced by the institution, and less than half use it to provide limits to board and management. Just 13 percent analyze the risk appetite statement’s impact on financial performance.
Just 17 percent of respondents review the bank’s risk profile and related metrics at the board and executive level monthly. Almost half review these metrics quarterly, while 23 percent review twice a year or annually.
Fifty-seven percent of directors feel that the board could benefit from more training in understanding how new regulations impact and pose risk to the bank, and 53 percent want a deeper understanding of emerging risks, such as risks associated with cyber security or Unfair, Deceptive or Abusive Acts or Practices (UDAAP). Conversely, senior executives feel that the board needs more training in overseeing the bank’s risk appetite, and understanding risk oversight best practices and how other banks govern risk.
The regulatory environment continues to challenge bank boards. Fifty-five percent cite the volume and pace of regulatory change as the environmental factor most likely to cause risk evaluation failures at the bank.
More than half of bank officers, and 40 percent of respondents overall, say that maintaining the technology and data infrastructure to support risk decision-making is a top risk management challenge.