How Well is Your Board Managing Risk?
Banking regulation is a lot like gravity. What goes up, generally comes back down.
The same is likely to be true when it comes to board self-assessments. The Federal Reserve has proposed guidance that would require the largest bank boards to conduct self-assessments. What does that mean for the industry and its smaller players?
I sat down with Karl Nelson, founder and CEO of KPN Consulting, for his insights on the evolution of board self-assessments and the role they play in managing risk. Our conversation has been edited and condensed.
Why are regulators interested in self-assessments?
Regulators are making sure the board provides proper oversight. It’s been heightened considerably by the crisis itself and, of course, the Wells Fargo situation. In essence what’s happening is regulators are pushing boards to be much more strategic in their focus to find ways to oversee the bank on a more strategic basis as opposed to something that is often very tactical.
For example, for a board to approve the CD rate for one year is a very tactical concept that I just don’t think is very relevant. To have the board decide whether or not it should have certain kinds of different deposit accounts is a more strategic decision. What regulators like to see is boards take up issues around risk in particular that are much larger in scope and not really tactical in nature.
Another example: Rather than a board approving individual loans, wouldn’t it be better for the board to understand the philosophy of the bank’s lending program and set limits on different kinds of lending?
It’s enterprise risk management, which is being pushed very hard by the Federal Reserve and the OCC.
How common are board self-assessments at smaller financial institutions?
We just don’t see much of it in the community bank world. Once in a while you’ll see an attempt by a bank to sort of grade a director in terms of how much business they’ve brought in in a given year, but in terms of trying to assess capability to oversee risk, I can’t tell you I’ve honestly seen anyone do that.
What do we know about expectations for board assessments?
The big conversation is ERM and the subconversation is about the risks identified, including the eight risks the OCC has identified (credit, interest rate, liquidity, price, operational, compliance, strategic and reputation).
To this point, I would say two have been completely described and are part of what every bank does: interest rate and liquidity risk. Credit risk is clearly being addressed for the largest institutions. I think regulators are looking to industry to come up with what kind of risk assessment makes sense based on complexity and size. Clearly one size does not fit all.
I think that’s exactly how it will go for compliance, operational, and reputation risk. That big idea is what should a board be doing to assess itself, which falls into the broad category of governance.
What regulators are hoping, I think, is that more advanced players will begin to develop methodologies for those and come back with best practices. They’ll never tell a banker what to do but will describe best practices.
Where should a board begin with a self-assessment?
Look for data points. Start with credit risk. Have the board assess things like delinquency in the loan portfolio. You want directors to assess exceptions made to loan policy. Have boards assess rating grade migration—how accurately banks graded their loans and how quickly they are able to discern deterioration in those grades. They are going to want to know whether or not allowance for loan losses is sufficient for future losses and get them involved in the big picture about lending instead of a specific picture of that loan or borrower.
Tactical is worrying about loan. Strategic is worrying about the entire portfolio. What are data points for the entire portfolio? That’s where I believe they want directors focused.
A good risk assessment of credit risk would first have the board define what excellent performance is. For instance, excellent performance is delinquencies of no more than 1.5 percent and measured against actual performance. Regulators want the board to take a strong hand in deciding what good performance is in that data point and monitoring typically on a monthly basis how those performance indicators are actually performing.
They want to know the board has been active in if not creating those markers, then at least in understanding or approving them. Boards don’t have the same depth of understanding as management, but regulators want the board to understand that those are sufficient markers for those risks.
How do you actually assess how well the board is managing risk?
Start with the eight risks from OCC in ERM program. The only caveat is that the Federal Reserve appears to be saying that reputation risk is not one of those but rather the end result of failure in one of those. The banks are going to have to develop key risk indicators and key performance indicators for any markers they think are important to understanding those risks.
I think as those risks, markers, and performance indicators are established, they will likely be different for different kinds of banks with different complexity. Much like interest rate and liquidity risk, you will see much more definitive guidance about what they expect.
Only then can you create a full risk assessment of the board’s ability. Until you know what those markers are, you can’t measure them against something. I think bankers, particularly those worried about exams, will throw a bunch of stuff against a wall to see if it sticks, but you really won’t ever get an examiner to say that’s exactly what you should do. They are afraid to say it to a $200 million bank and be wrong. They’ll say it depends, and it does. It depends on complexity and asset size.
These markers will be developed over time in different ways.
Where are self-assessments headed?
The key is that you have to tie this board self-assessment into where this entire risk assessment world is headed. It’s clearly headed away from backward-looking ratio analysis to forward-looking what-if analysis. The final measure of a board being able to self-assess will be a function of its understanding of how we’ve developed those forward-looking concepts for those seven or eight risks. That will take time.