2022 Risk Survey Results: Walking a Tightrope

Despite geopolitical turmoil following Russia’s invasion of Ukraine, the Federal Reserve opted to raise interest rates 25 basis points in March — its first increase in more than three years — in an attempt to fight off a high rate of inflation that saw consumer prices rising by 7.9% over the preceding year, according to the Bureau of Labor Statistics.

“Inflation remains elevated, reflecting supply and demand imbalances related to the pandemic, higher energy prices, and broader price pressures,” the central bank said in a statement. The Federal Open Market Committee (FOMC) is the policymaking body within the Fed that sets rates, and Fed Chairman Jerome Powell remarked further that the FOMC will continue to act to restore price stability.

“We are attentive to the risks of further upward pressure on inflation and inflation expectations,” Powell said, adding that the FOMC anticipates a median inflation rate of 4.3% for 2022. He believes a recession is unlikely, however. “The U.S. economy is very strong and well-positioned to handle tighter monetary policy.”

Six more rate hikes are expected in 2022, which overshoots the aspirations of the directors, CEOs, chief risk officers and other senior executives responding to Bank Director’s 2022 Risk Survey, conducted in January. Respondents reveal a high level of anxiety about interest rate risk, with 71% indicating increased concern. When asked about the ideal scenario for their institution, almost three-quarters say they’d like to see a moderate rise in rates in 2022, by no more than one point — significantly less than the 1.9% anticipated by the end of the year.

Moss Adams LLP sponsors Bank Director’s annual Risk Survey, which also focuses on cybersecurity, credit risk, business continuity and emerging issues, including banks’ progress on environmental, social and governance (ESG) programs. More than half of the respondents say their bank doesn’t yet focus on ESG issues in a comprehensive manner, and just 6% describe their ESG program as mature enough to publish a disclosure of their progress.

Developments in this area could be important to watch: The term ESG covers a number of key risks, including climate change, cybersecurity, regulatory compliance with laws such as the Community Reinvestment Act and operational risks like talent.

“Finding employees is becoming much harder and has us [looking] at outsourcing (increased risk) or remote workers (increased risk),” writes one survey respondent. Workers want to work for ethical companies that care about their employees and communities, according to research from Gallup. Could a focus on ESG become a competitive strength in such an environment?

Key Findings

Top Risks
Respondents also reveal increased anxiety about cybersecurity, with 93% saying that their concerns have increased somewhat or significantly over the past year. Along with interest rate risk, regulatory risk (72%) and compliance (65%) round out the top risks. One respondent, the CRO of a Southeastern bank between $1 billion and $5 billion in assets, expresses specific concern about “heightened regulatory expectations” around overdraft fees, fair lending and redlining, as well as rulemaking from the Consumer Financial Protection Bureau around the collection of small business lending data.

Enhancing Cybersecurity Oversight
Most indicate that their bank conducted a cybersecurity assessment over the past year, with 61% using the Cybersecurity Assessment Tool offered by the Federal Financial Institutions Examination Council (FFIEC) in combination with other methodologies. While 83% report that their program is more mature compared to their previous assessment, there’s still room to improve, particularly in training bank staff (83%) and using technology to better detect and/or deter cyber threats and intrusions (64%). Respondents report a median budget of $200,000 for cybersecurity expenses in fiscal year 2022, matching last year’s survey.

Setting ESG Goals
While most banks lack a comprehensive ESG program, more than half say their bank set goals and objectives in several discrete areas: employee development (68%), community needs, investment and/or volunteerism (63%), risk management processes and risk governance (61%), employee engagement (59%), and data privacy and information security (56%).

Protecting Staff
More than 80% of respondents say at least some employees work remotely for at least a portion of their work week, an indicator of how business continuity plans have evolved: 44% identify formalizing remote work procedures and policies as a gap in their business continuity planning, down significantly compared to last year’s survey (77%). Further, banks continue to take a carrot approach to vaccinations and boosters, with most encouraging rather than requiring their use. Thirty-nine percent require, and 31% encourage, employees to disclose their vaccination status.

Climate Change Gaps
Sixteen percent say their board discusses climate change annually — a subtle increase compared to last year’s survey. While 60% indicate that their board and senior leadership team understand the physical risks to their bank as a result of more frequent severe weather events, less than half understand the transition risks tied to shifts in preferences or reduced demand for products and services as the economy adapts.

To view the high-level findings, click here.

Bank Services members can access a deeper exploration of the survey results. Members can click here to view the complete results, broken out by asset category and other relevant attributes. If you want to find out how your bank can gain access to this exclusive report, contact [email protected].

The Most Important Aspect of Third-Party Risk Management

Third-party risk management, or TPRM, is a perpetual hot topic in banking and financial services.

Banks are outsourcing and using third parties for a range of products, services and activities as the financial services landscape becomes more digital and distributed. A common refrain among regulators is that “you can outsource the activity, but you can’t outsource the responsibility.” Banks can engage third parties to do what they can’t or don’t want to do, but are still on the hook as if they were providing the product or service directly. This continues to be a common area of focus for examiners and has been identified as an area for potential enforcement actions in the future.

Given the continuing intense focus on third party activities and oversight, one word comes to mind as the most critical component of TPRM compliance: structure. Structure is critical in the development of a TPRM program, including each of its component parts.

Why is it so critical? Structure promotes consistency. Consistency supports compliance. Compliance mitigates risk and liability.

Banks with a consistent approach to TPRM conduct risk assessments more easily, plan for third party engagements, complete comprehensive due diligence, adequately document the relationship in a written agreement and monitor the relationship on an ongoing basis. Consistency, through structure, ultimately promotes compliance.

Structure will become increasingly important in TPRM compliance, given that the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency issued proposed interagency guidance on TPRM last summer. While the guidance has not been finalized as of this publication, the concepts and substantive components have been in play for some time; indeed, they are based largely on the OCC’s 2013 guidance and FAQs on the topic.

Generally, the proposed guidance contemplates a “framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.” Like other areas of risk management, this framework should be tailored based on the risks involved and the size and complexity of the banking organization. Fortunately, interagency guidance will enhance the consistency of the regulatory examination of TPRM compliance across banks of all sizes and charter-types.

The proposed guidance outlines the general TPRM “life cycle” and identifies a number of principles for each of the following stages: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The first three stages of this TPRM life cycle benefit the most from a structured approach. These three stages have more stated principles and expectations outlined by the banking agencies, which can be broken down effectively through a properly structured TPRM program.

So, when looking at improvements to any TPRM program, I suggest bank executives and boards start with structure. Going forward, they should consider the structure of the overall program, the structure of each of the stages of the life cycle outlined by the banking agencies and the structure of compliance function as it relates to TPRM. An effective strategy includes implementing a tailored structure at each stage. If executives can accomplished that, they can streamline compliance and make it more consistent throughout the program. Structure provides certainty as to internal roles and responsibilities, and promotes a consistent approach to working with third parties.

Why Your Bank Should Have a Capital Plan


strategic-planning-7-24-15.pngThree significant events have altered expectations for capital plans. First, as of January 1, 2015, banks need to comply with the new BASEL III capital requirements, including the new “capital conservation buffer.” Second, regulatory authorities now view strategic planning and capital planning as risk appetite and risk mitigation documents, respectively. Finally, the demise of the market for trust preferred securities has reduced the ability to raise just–in–time capital, which was a prevalent concept from 2005 to 2009.

Every board should ask the hard question of whether or not the depository institution has sufficient capital to (1) address BASEL III regulatory requirements, (2) navigate the current economic environment, and (3) implement the desired strategic plan for the depository institution. If the answer is no, management should focus on how much capital is needed, and the board and management should determine the sources for funding those needs.

Even if you currently have a capital plan, it may not “chin the bar” with the regulators. Traditional two–page or five–page capital plans are falling short of what regulators expect to see in capital plans. Such plans are now becoming much more robust and are truly a management planning tool rather than simply something that is “nice to have.” A strong capital plan is a critical document, as it ensures that there is enough fuel to drive the bank’s strategic plan and ensures that there is adequate insurance against the bank’s risk profile. Every depository institution, even healthy depository institutions, should have a comprehensive capital plan that dovetails with its strategic plan and its enterprise risk management plan.

The regulatory agencies are clearly steering institutions away from the concept of just–in–time capital that resulted in many depository institutions finding trouble in 2008 and 2009. Some regulators have even hinted that a comprehensive capital plan may soon be an integral part of the safety and soundness examination process, perhaps showing up as an element in the capital or management component of the CAMELS–rating system. Some of our clients have already received questions in this regard in light of upcoming regulatory examinations, so it is likely a trend that will only continue to become more frequent and ultimately a requirement.

The breadth and depth of a comprehensive capital plan will, of course, depend on the risk profile of the depository institution. While there is no magic outline for a capital plan, almost all capital plans should have a few critical components: (a) background on the depository institution’s strategic plan, operations, economic environment and current capital situation, (b) tolerances and triggers, (c) alternatives for available capital, (d) perhaps a dividend policy and (e) financial projections.

The tolerances and triggers may be the most important part of the capital plan, as this is how the institution will avoid needing just–in–time capital. The identification of tolerances and triggers operate as an early warning system to alert management that capital may become stressed in the near future. Careful planning should take place when considering what the tolerances and triggers will be, as these are the key drivers in making the capital plan a true planning tool.

In summary, capital planning is an important, if not necessary, tool for any depository institution, regardless of condition. There is a growing sea change in how the regulators view the necessity of a capital plan, and a growing expectation that every depository institution have a viable capital plan. It is important to note, however, that there is no one–size–fits–all capital plan that can be pulled off of a shelf as a form document. Instead, the plan should be carefully considered and evaluated, either as part of the institution’s strategic plan or as a separate plan working in tandem with the strategic plan. Finally, after it is prepared, the capital plan cannot simply sit on the shelf, but should instead be treated as a living, breathing document that will need to be revised as the economic and regulatory environment, risk profile, strategic direction and capital resources available to the institution change over time.