Bank Director | Strategic Risk Archives

Top Five Ways Mergers Will Achieve the Needed Economies of Scale (Because Most Don’t)

Posted on October 21, 2015 at 8:50 am.

Achieving economies of scale is one of the key strategic reasons behind a bank merger. The thinking is that a larger institution can spread costs such as investments and regulatory burdens across a larger customer and revenue base. Plus, for banks with $10 billion and more in assets, a merger offsets the lower interchange revenue from the Durbin Amendment and higher regulatory requirements.

Data from the Cornerstone Performance Report shows that the necessary improvements to productivity often fall short of the economies of scale that make a merged bank more competitive. In the report, Cornerstone compares “assets per employee” for banks of two broad asset size ranges.

	Banks $5B-$10B		Banks $10B-$20B
	Peer Median	75th Percentile	Peer Median	75th Percentile
Assets per employee	$4,433,255	$5,500,897	$5,642,144	$7,229,156
Return on average assets	0.80%	1.07%	0.99%	1.11%

A median performer in the $5 billion to $10 billion group needs to achieve a 24 percent productivity improvement to become a 75th percentile performer and a 27 percent productivity increase to be a median performer once it breaks the $10 billion barrier. However, most merger cost savings usually target 20 to 30 percent of expenses—with 50 to 60 percent of those savings being people-related. In other words, a bank’s cost-save targets may enable it to achieve 75th percentile productivity temporarily but it will revert back to the “average” as the bank grows. Clearly, banks do not pursue mergers to sustain mediocrity. A bank that is a median performer today in the $10 billion to $20 billion asset category would need to improve by 63 percent to achieve and sustain high productivity performance.

So, how can banks turbo-charge their merger efforts to achieve high-performer economies of scale and productivity improvements? Here are five ways:

Ensure that the bank is performing an integration and not just a conversion. The terms “integration” and “conversion” are often used interchangeably. However, they are very different. Integration includes conversion (i.e., getting all customers and employees on common technology platforms) and a rigorous evaluation and streamlining of the bank’s operating processes and organization. Conversions do contribute to productivity saves and scale but not to the extent that integration does. In the race to convert their core, Internet banking and other systems, many banks will not perform any significant redesign. Serial acquirers often fall into this trap as they want to convert quickly and move on to the next deal. Nine times out of 10, the serial acquirer’s processes are geared to a much smaller institution and eventually break down, requiring the bank to stop and truly integrate.
Ensure that metrics related to scale benefits (both bank-wide and in key functions) are included in any merger reporting. Management and board reporting typically include progress based on achieving milestones, which usually just measures conversion priority. Tracking benefits such as productivity improvements is as important as integration costs and cost-saves. Managing conversion risk is a critical responsibility for the board and management, but so is managing the strategic risks of not being competitive because the bank is less productive than its competitors.
Engage and empower younger managers in the integration process. Banks that pursue true integration often fall short of full success due to an inability to change. Senior managers 1) feel comfortable with what they do and are reluctant to change, and 2) want to change but don’t know how (i.e., don’t know what they don’t know). This occurs most often when a transaction or series of transactions increases the bank’s assets by 30 to 50 percent in a short period of time—when real change is required. Fresh perspectives in the form of newer and younger managers who are free of a “we’ve always done it that way” mindset can help drive new ways to do business that better leverage technology and/or streamline processes.
Discourage “Phase 2.” Banks sometimes approach productivity savings by planning a Phase 2 after conversion to optimize processes, better leverage technology, and so forth. Phase 2 almost never happens, especially with serial acquirers because other priorities or opportunities arise, causing banks to leave money on the table. If the bank insists on a Phase 2, ensure the initiative is continually monitored and measured as part of ongoing merger reporting.
Integrate to what the bank will look like in the future—not just what it will look like after a transaction. Determine the performance levels (and metrics) for a much larger institution and plan the integration efforts to achieve them.

Regulatory Scrutiny Focuses on Inadequate Strategic and Capital Planning

Posted on September 24, 2015 at 1:39 pm.

Written by Adam Mustafa

Once again, regulators are zeroing in on inadequate strategic and capital planning processes at many community banks.

The Office of the Comptroller of the Currency (OCC) listed “strategic planning and execution” as its first supervisory priority for the second half of 2015 in its mid-cycle status report released in June. That echoes concerns from the latest OCC semiannual risk perspective, which found that strategic planning was “a challenge for many community banks.”

FDIC Chairman Martin J. Gruenberg said in May that regulators expect banks “to have a strategic planning process to guide the direction and decisions of management and the board. I want to stress the word ‘process’ because we don’t just mean a piece of paper.”

He said that effective strategic planning “should be a dynamic process that is driven by the bank’s core mission, vision and values. It should be based on a solid understanding of your current business model and risks and should involve proper due diligence and the allocation of sufficient resources before expanding into a new business line. Further, there should be frequent, objective follow-up on actual versus planned results.”

In writing about strategic risk, the Atlanta Federal Reserve’s supervision and regulation division said that “a sound strategic planning process is important for institutions of all sizes, although the nature of the process will vary by size and complexity.” The article noted that the process “should not result in a rigid, never-changing plan but should be nimble, regularly updated (at least annually) and capable of responding to risks and changing market conditions.”

Given economic changes and increased market competition, community banks must understand how to conduct effective strategic planning. This is more important now than ever, says Invictus Consulting Group Chairman Kamal Mustafa.

The smartest banks are using new analytics to develop their strategic plans— not because of regulatory pressure, but because it gives them an edge in the marketplace and a view of their banks they cannot otherwise see, Mustafa said.

“Strategic planning is useless without incorporating capital planning. The most effective capital planning is built from the results of stress testing. These critical functions—strategic planning, capital planning and stress testing—must be integrated if a bank truly wants to understand its future,” he said.

He advises banks to use the same fundamental methodology for both capital planning and strategic planning, or else they will run the risk of getting misleading results. This strategy is also crucial in analyzing mergers and acquisitions.

OCC Deputy Comptroller for Supervision Risk Management Darrin Benhart also advises community banks to use stress testing to determine if the bank has enough capital. “Boards also need to make sure the institution has adequate capital relative to all of its risks, and stress testing can help,” he said in a February speech. “We also talk about the need to conduct stress testing to assess and inform those limits as bank management and the board make strategic decisions.”

Will Cybercrime Erode Confidence in Banks?

Posted on June 8, 2015 at 12:54 pm.

Written by Jack Milligan

Recently I was reviewing some material about cybersecurity which contained, among other things, an explanation of how thieves successfully used remote access Trojans and keystroke logging at bank ATMs around the world to steal customer information and ultimately rip off banks for tens of millions of dollars. I was familiar with the incident because we wrote about it in our 1st Quarter 2014 issue, but here’s the thing: I was about to deposit a couple of hundred dollars in checks and cash at one of my bank’s ATMs, and it made me stop and wonder if I should do that. I hadn’t been in a bank branch in a couple of years (and in fact rarely even use ATMs anymore), but I considered whether I should make the deposit in the branch instead to avoid putting myself at risk by using a machine that conceivably has been hacked.

Technology has had a transformative impact on banking over the last couple of decades—and the revolution actually seems to be accelerating with the explosive popularity of mobile access and new concepts like the cloud, and also the emergence of nonbank financial technology companies that rely almost entirely on technology for their user interface. The advance of technology in banking is exciting because of the cost and customer service benefits it promises to deliver, but this same technology has also become something of a Trojan horse (tortured metaphor intended) from a risk perspective. Cyberattacks are occurring with an increasing frequency that is alarming, and banks are hard pressed to keep up with the advanced tactics of the attackers. In fact, if we were to characterize this as an arms race between hostile parties—the banks versus the hackers—the banks are losing.

Eighty-two percent of the respondents to our 2015 Risk Practices Survey identified cybersecurity as the risk category they are most concerned about, compared to regulatory compliance at 52 percent, and credit quality at 37 percent.

Cybersecurity will have an important place on the agenda at our 2015 Bank Audit & Risk Committees Conference scheduled for June 11-12 in Chicago. Any bank board of directors that isn’t worried about its institution’s vulnerability to a cyberattack is asleep at the table. What should directors be doing to make their banks as safe as possible? The first step is to educate themselves on the nature of cyberrisk so they understand the threat well enough to ask good questions. This undertaking will be the very definition of continuing education because the threat is constantly evolving. Boards also need to make sure that they are spending enough money on cybersecurity. Fifty-two percent of the respondents to our risk survey increased their cybersecurity budget by less than 10 percent for 2015, and 21 percent saw no increase for the year—spending levels that probably aren’t enough given how quickly the threat is escalating. Cybersecurity should be a standing topic on every regularly scheduled board meeting so that directors gain an understanding of the topic while keeping themselves well briefed on the latest security developments at the bank. And the board needs to have an incident response plan in place when a cyber intrusion does occur, because it’s simply a matter of when, not if.

As I write this blog, I still haven’t decided how I will deposit those checks and cash that I have. And that points to one of the most damaging effects of cyberattacks: They have the potential over time to erode confidence in a banking system that relies increasingly on technology. I have read comments of late from people who say they’ve stopped using their debit cards for small purchases, but use cash instead because they’re afraid of having their checking accounts drained if a hacker steals their customer information. That sounds like a step backwards to me at a time when banks should be helping their customers step forward with the help of technology.

How the Board Can Manage Risk

Posted on June 3, 2015 at 10:04 am.

Written by mdailey

The prolonged low interest rate environment, slowly improving economy, use of more sophisticated technology, and increased reliance on third party service providers each present inherent risk to individual banks and the industry as a whole. In the upcoming exam cycle, directors and senior managers will be under increased pressure by the bank regulatory agencies to demonstrate that their institutions maintain a robust risk management culture to account for these and other inherent risks.

Among the key risks facing banks today that the regulators expect boards and senior managers to address are:

strategic risk as banks adapt business models to respond to the current economic and competitive landscapes;
management succession and retention of key staff;
loosening loan underwriting standards;
expansion into new products and services;
exposure to interest rate risk;
oversight of third party service providers;
increased volume and sophistication of cyber threats;
BSA/AML risk from higher-risk services and customer relationships; and
maintaining effective compliance management systems.

Bank boards can go a long way toward proving the robustness of their risk management culture by focusing on the following five governance actions.

Discussion
The board should expressly charge senior management with the task of identifying those key risks, and any other material risk, to which the bank is exposed. It is management’s role to educate the board on the identified risks and to clearly and completely explain to the directors how each risk affects the bank. Armed with this information, the directors will be able to conduct the necessary detailed discussion of risk at board and committee meetings and to plan the bank’s strategy to effectively manage the identified risks.

Policies
Working with management, the board should develop and approve policies to manage the identified risks. Ultimately, it is the board’s responsibility to ensure the bank maintains appropriate and up-to-date policies to manage the bank. Off-the-shelf, generic policies will not pass muster. Policies should be tailored to the size, scope and complexity of the individual bank’s operations and identified risks; a policy appropriate for the bank down the street is not necessarily appropriate for your bank. The board should review and approve the policies on at least an annual basis, making the necessary changes and additions based on the evolution of the risk to the bank.

Implementation
Each policy should contain procedures for implementation of the policy and training of appropriate personnel. It is imperative the board and management give thoughtful consideration to the personnel who should receive training. For example, the risk of cyber threats to the bank demands that all employees, from entry level staff to the CEO, understand the bank’s cyber security policies and procedures and how their particular job at the bank is at risk; while the risk of loosening loan underwriting standards only applies to a smaller segment of the employee population. It is the board’s responsibility to monitor the complete and effective implementation of, and training on, the bank’s risk policies.

Exceptions
Even with the best policies and most effective teams employing them, exceptions to, and violations of, policies will occur. The regulators understand this, and it is unlikely they will criticize the bank for individual exceptions/violations. However, it is highly likely the regulators will criticize the bank for the failure of the board and management to identify and take steps to correct such exceptions/violations. The board should receive regular reports identifying material exceptions/violations and management’s proposed corrective action. Corrective action should be specific, detailed and contain appropriate time frames within which it will be taken.

Board Minutes
Well-crafted board meeting minutes can be the bank’s best friend when it comes to showing evidence of its risk management culture. The minutes should reflect the board’s deliberations relating to the key risks affecting the bank and the processes, procedures and steps the bank takes to manage those risks. They should not be a complete transcript of the meeting but should contain sufficient detail to enable the reader to confidently say, “I know what took place at this meeting.” Minutes should be prepared in draft form as near in time as is practical to the meeting, while memories are fresh, and promptly circulated in draft form to the directors for comment. Properly done, board minutes help tell the bank’s risk management story.

Your bank will be best served if your directors buy into the statement, “The bank’s risk management culture must begin at the top.”