How Bank Boards Should Handle Regulatory Change

10-4-13-Manatt.pngBank directors should not think grimly about their service as a board member, even in the light of increased regulatory and shareholder pressure. While laws and regulations are constantly evolving, bank directors who approach their director work with clear focus, open lines of communication with management and a real understanding of the tenets of service as a director will be able to perform their functions at the highest levels that both regulators and shareholders have come to expect. Banks can, and must, build high performance boards that are ready to respond to the vast litany of responsibilities.

As a fundamental principal, the board must guide and set the overall strategic direction for a bank, and, in particular, establish the bank’s level of risk tolerance. How do high performance boards set that direction? They do that through approval of policies and procedures that set real standards for the scope and level of risk that a bank is willing to assume. Boards must ensure that this level of risk tolerance is communicated and adhered to at every level of the bank.

How can a board set this level of risk tolerance in responding to regulatory changes? Let’s take the Interagency Guidance on Sound Incentive Compensation Policies, which applies to all banks and thrifts. Incentive compensation benefits are used to attract key staff, induce better performance, promote employee retention and provide security to employees. In order to effectively analyze and ensure that incentive compensation arrangements at the board level take into account appropriate levels of risk, boards must clearly define an appropriate risk tolerance level which focuses on the long-term corporate health of an institution rather than quick, short-term gains. An incentive compensation policy should be structured around this framework.

How can you as a board member monitor management’s progress in both anticipating and responding to new regulations and assessing management’s ability to comply with new regulations? Ask questions in your board meetings and outside of your board meetings. Probe and challenge in a manner that is conducive to getting the information you need. Avail yourself of outside resources and advisors as appropriate.

Boards must also ensure that they have access to management and all employees at multiple levels. If boards are only getting information from their CEOs, they should be skeptical. Chief financial officers, chief credit officers, controllers and chief compliance officers, to name a few, all should all have the opportunity to present information to the board, and, as appropriate, be engaged in executive sessions where they can speak freely and openly about the supervisory and oversight process that management has provided.

In addition, boards must have independent sources of information separate and apart from management. In most board structures, for example, committees are devoted to overseeing various aspects of a bank’s overall operations. Audit committees can and should regularly interact with the bank’s independent auditors to make sure they are staying abreast of the latest developments. Similarly, compensation committees should leverage the work of outside counsel and advisors so that there is a complete understanding of significant changes in compensation rules and standards.

Finally, boards should consider charging committees with responsibility for overall risk management, whether at an executive committee level or with a specific risk management committee. Leveraging the work of committees can lessen the burden on any one particular director, as every director does not need to be an expert in every single field of exposure.

Building a high performance board today is not a luxury; it’s a requirement for success in an increasingly regulated and increasingly competitive environment.

A Simple Way to Develop a Bank’s Risk Appetite

9-16-13-Moss-Adams.pngIf you have some experience with enterprise risk management (ERM) implementation and evaluation projects for community financial institutions, two things quickly become apparent: No two ERM processes are exactly the same, and very few institutions like to put their risk appetite down on paper. The common reason for the latter seems to be the fear of being restricted by formal documentation. Institutions seem to be fine with the idea that their risk appetite is inherent in the decisions they make, so why spend time on something that doesn’t really move the organization forward?

But we’ve all seen too recently and frequently what the failure to properly manage risks can do to a financial institution. That’s why defining your risk appetite is the starting point for communicating risk management—it gives you a common baseline for communicating across the organization and sets the tone for risk management throughout the bank. Without it, you’re just assuming everyone is on the same page when it comes to risk management. Can you afford to take this chance?

As with many things that present a challenge, it often comes down to where to start. Consider starting with a risk continuum, with “Accepting of Risk” on the left and “Not Accepting of Risk” on the right. Take the various risk events you’re reporting to the board (ideally somewhere between five and 15 events), and plot them on the continuum by asking yourself, “How willing am I to accept the risk related to each event?” Are you more or less accepting of the risk of losing customers for not having the technological capabilities of larger institutions? Are you more or less accepting of concentrations in construction loans of a certain type in a certain area? New products? Loss of executive management? Regulatory violations? An untested disaster recovery plan?

As you plot all these critical risks, the ones furthest to the right on the continuum (the Not Accepting of Risk side) are essentially what defines your organization. If you take those risks and incorporate them into a general statement such as the following, you’ve essentially defined your risk appetite:

“The bank operates within a low overall risk range. Its lowest risk appetites relate to credit risk and concentrations in construction loans. The bank has a marginally higher risk appetite toward its strategic goals, including developing new products and implementing new customer-facing technologies. This means reducing to reasonably practical levels the risks originating from construction lending will take priority over our other strategic goals.”

That’s all you need to do to get a risk appetite started. Your risk appetite really should be general in nature to start and should be thought of as the overarching guidance for the whole organization. As you continue to reevaluate and redefine your appetite, you can become more precise if needed. From this risk appetite, you can develop more defined and specific risk appetites as you move down the organization—perhaps even better, you can develop risk tolerances.

There’s often confusion between the terms risk appetite and risk tolerance. Keep it very simple and think of risk tolerances as the metrics that often coincide with the strategic metrics, such as establishing a level of nonperforming loans to total loans that shouldn’t be exceeded. The appetite guides the tolerances, and the tolerances are consistent with the goals of the bank, which can be used to establish triggers as you approach various risk tolerances, so that corrective actions can be taken proactively.

Don’t commingle risk tolerances in your risk appetite. Remember to keep your risk appetite overarching and allow the risk tolerances to be specific to the various established risk areas (for example, strategic, credit, interest rate, liquidity, reputation, operational, compliance and legal risks).

Also, don’t overcomplicate the process of defining your risk appetite. Leverage the ERM work you’ve already completed and think general in nature. By doing this, you’ll find that your risk appetite statement can provide the overarching guidance needed—without being restrictive to your institution.