|Three key steps community banks can take to mitigate the risk of failure|
Learn from others’ trouble
Risk management, internal audit, and a serious assessment of the board-management team represent triple-prong approach to corporate rustproofing
The carnage seen in recent high rates of bank failures, while lamentable, carry one benefit: There are invaluable lessons to be learned from those failures for the vast majority that survive.
The failed institutions that required an official “material loss review” by FDIC’s Office of the Inspector General all share frighteningly similar characteristics. Most were small, community banks with poor management and board oversight. Many also shared a laundry list of other problems. These included weak risk management controls; a heavy concentration of commercial real estate and acquisition development and construction loans; weak audit procedures and controls; a lack of contingency funding; inadequate capital; and heavy reliance on brokered deposits. However, the two primary issues were an overextension of commercial real estate loans at the end of the market bubble, and an overall lack of proper controls.
Many banks have started taking measures to continue to manage the fallout of recent market events. To prevent future failures, boards must look at long-term fixes to their operations and how they manage risk. Specifically, bank directors should put three line items on the agenda for their next board meeting to address as soon as possible: the banks’ risk and control management processes; the internal audit program; and a serious re-examination of the board/management team.
Risk and control management
The board, through the bank’s business line leaders, must focus on ensuring that an effective risk and control management process is in place—including credit, funding, and capital risks. This typically starts with an enterprise-wide risk assessment to identify key risk indicators. After these are identified, they would then be monitored regularly at a line-of-business level. It’s critical that these risk indicators feed into senior management level reports that can provide the Board with a snapshot of the areas of control weaknesses.
Each bank is going to find different risks based on its specific business model, geographical footprint, and the markets it serves. However, there are some common risk factors that most community banks share under the current economic and regulatory environment. Among them: the bank’s overall credit quality; credit concentration exposure; capital requirements; liquidity; regulatory developments; and reputational risk. Once these key risks are identified, the next step is to quantify those risks against each line of business. The business line leaders should be responsible for the analysis of these identified risks, and measure them against all functional processes within their business. Existing operations should be mapped out, and leaders can identify all key risk controls that should be embedded within these established systems.
Once this initial risk assessment process is complete, the business, in conjunction with staff handling the bank’s operational risk, quality control, regulatory compliance, and internal audit needs to identify existing testing programs for each of these identified line of business processes. Where such programs already exist, then the new assessment results may identify new areas of focus or suggest other changes. If new programs need to be implemented, then the bank needs to create testing templates and assign an appropriate “owner” to perform this analysis regularly. These tests are sometimes referred to as “control self-assessments” if performed directly by the line of business; in this case, the results should always be validated by one of the control functions mentioned earlier.
After running tests, the findings and corrective actions should be reported to bank management. This report, or ”heat map” as it is sometimes referred to, should identify all control weaknesses and rank them as high, medium, or low risk to the bank. The business-line leaders should be given responsibility and accountability for the monitoring and remediation of the control weaknesses.
These heat maps should roll up to senior management and the board on a pre-determined basis to give them a snapshot of the bank’s overall control issues. The reports highlight early warnings of problem areas. It is then up to management and the board to ensure proper attention is given to these issues. Actions can and should be taken at that point to mitigate the risk to avoid issues that lead to bank performance problems, and, in the worst case scenario, a bank failure.
Internal audit program
A strong internal audit program can help ensure stability throughout the institution as well. The banks that have been criticized by regulators over the past few years for weak internal control audit programs did not focus on addressing the issues identified in specific regulatory guidance. Bank examiners will review a variety of areas that are regulated including: safety and soundness, Bank Secrecy Act, information technology, consumer compliance, and the Community Reinvestment Act. An internal audit program should source its regulatory audit program guide to the bank’s primary federal regulators’ exam management guidance. The audit program should be built to ensure overall coverage.
Banks need to demonstrate that the internal auditors are qualified to perform such regulatory reviews. If the current staff does not have the requisite knowledge or experience, strong consideration should be given to using contract staff or external auditors until internal staff can be trained in these specific areas of regulatory review. It is important to note that the federal regulators will rely on internal audit programs as part of the regulatory examination process, so it behooves the bank to ensure that it has a robust internal audit program.
Furthermore, bank management and boards should not rely on the auditor’s overview report and be sure to drill down into each line of business’ assessment. Often, the auditor will give the bank a clear bill of health—but deeper into the report will highlight areas of weakness in smaller divisions of the banks. It’s important that management ensures that the line-of-business leaders address these identified risks with remedial action plans.
The board’s toughest job may be taking a hard look at itself and how it functions. Are the right people on the board to lead the company though the challenges that lie ahead? Is everyone truly well-versed in the banking industry, to the degree necessary for competent oversight? Is everyone appropriately equipped to make the best decisions?
If this examination finds the bank has board members that aren’t knowledgeable about the industry or related challenges the bank is facing, consider asking them to step down and looking for directors with more relevant experience.
The problem is that traditionally, small community bank boards and even some regional banks are made up of key local business leaders or close friends of the bank’s chairman or CEO—making this a politically difficult move. In addition, finding well-qualified and amenable board members is not always easy. One alternative to replacing existing members is to provide clear management training and oversight responsibility by qualified board advisory consultants that can provide corporate governance, financial reporting, and financial strategy guidance.
Furthermore, the bank’s board should ensure they have the right management team in place to take the organization where it wants to go. Boards should also ask questions about credit management staffing and strategies to ensure the bank is capably and appropriately addressing the changing regulatory environment. Individuals with strong credit policy, credit classification, and collection and recovery experience are essentials for banks today.
The above steps aren’t a magic bullet. But they can help arm banks with stronger controls and oversight to navigate through this crisis and put them in a position to recoup losses and reach profitability in the future.
About the author
Gene J. Truono is a Managing Director at BDO Consulting, a division of BDO Seidman, LLP, in the New York office. He is responsible for the firm’s Financial Institution Consulting practice, including initiatives related to anti-money laundering, mortgage lending investigations, and regulatory compliance. Truono has over 20 years of banking, regulatory compliance, and legal experience covering all aspects of banking.
[This article was posted on March 18, 2010, on the website of ABA Banking Journal, www.ababj.com, and is copyright 2010 by the American Bankers Association.]
| TechTopics Plus